Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to look for two values that occur at the same time per host?

AssureSec
Loves-to-Learn
‎12-06-2022 09:40 AM

Hello all,

I am trying to figure out the following:

1. If an alert for rule_id1 occurs at the same time on the same host as an alert for rule_id2 then don’t report the alert on rule_id2.
2. Otherwise report alerts on rule_id2

I have triend the if(match) and if(like) method and neither are able to yield the results I am hoping for.  Also not sure how to incorporate the time check as well to ensure the fired at the same-ish time.

Any and all help greatly appreciated!

 

Thanks!

Labels (4)
Labels
0 Karma
Reply

AssureSec
Loves-to-Learn
‎12-07-2022 06:38 AM

So basically ruled_id1 and 2 are two different events.  What we want to do is make sure that if there is a event for rule_id1 and an event for rule_id2 on the same host, at the same time, we don't display those and only display the events where only rule_id2 has an event.  If both rule_id1 and rule_id2 have an event at the same time for the same host, those are false positives.

rule_id1 and rule_id2 are the same field just different values. How to find when they occur at the same-ish time and on the same host/user and then only display the unique occurrences of rule_id2 or what is left.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-07-2022 09:25 AM

Assume that the field with values rule_id1 and 2 is called "rule", and the condition "same-ish" can be implemented with search in 5-minute bins, this should work:

index=myindex rule IN (rule_id1, rule_id2)
| bin span=5m _time
| stats values(rule) as rule by _time host
| where rule == "rule_id2" AND NOT rule == "rule_id1"

The last filter reads a little silly if it is in another language.  But SPL's equality operator returns true when any value in a multivalue if the other value is single valued.  A more semantically explicit expression can be

| where isnotnull(mvfind(rule, "rule_id2")) AND isnull(mvfind(rule, "rule_id1"))

In plain English, the search says: give me data containing values of both rule_id1 and rule_id2 in each 5-minute calendar intervals for each host, then find out which host and interval combinations contain only rule_id2 and not rule_id1.  A key test of suitability for this solution will be whether x-calendar interval is a good enough approximation of "same-ish". (What I am getting at is that a calendar interval is not a rolling time window.)

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-07-2022 12:07 AM

Because SPL is a streaming language, you'll have to explain and illustrate raw data (anonymize as needed), illustrate how rule_id1 and rule_id2 relate to such data.

For example, suppose your raw data contains some events with a field rule_id1, some others with a field rule_id2; suppose the first alert fires up when rule_id1 exists, and the second alert fires up when rule_id2 exists plus the simultaneity condition you described.  Further assume that "same-ish time" means test in 5-minute bins.  Then, your second alert can be

 

| bin span=5m _time
| stats values(rules_id1) values(rules_id2) by _time host
| where isnull('values(rules_id1)') AND isnotnull('values(rules_id2)')

 

This example shows how a solution is closely related to details of data and individual criteria.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...