Splunk Search

How to search and compare virus alert data to see if a client had an infection that was not removed, but was successfully removed later?

zimmermann_0
Engager

Hi all

We have virus alerts in Splunk. What I would like to do is to create on overview to check if a certain client had an infection where AV was not able to remove it, but maybe a couple of hours later, the AV was able to successfully remove it. The target would be a list of "really" infected devices.

Let's assume these two example events happen:

First Event:

Mar  4 09:32:07 Malware detected (Malware Name: BAD VIRUS, 2. Computer name: COMPUTER, Detection time(UTC time): 3/3/2016 10:07:53 AM, Malware file path: FILEPATH, Remediation action: Quarantine, Action status: Failed)

And then a bit later a 2nd one occurs:

Mar  4 12:32:07 Malware detected (Malware Name: BAD VIRUS, 2. Computer name: COMPUTER, Detection time(UTC time): 3/3/2016 11:07:53 AM, Malware file path: FILEPATH, Remediation action: Quarantine, Action status: Succeeded)

The following fields I have:
_time
malware --> Malware Name
computer --> the affected device
action_status --> Succeeded or Failed

Basically, the comparison of the two events should be like:
show devices where
malwareOLD = malwareNEW
computerOLD = computerNEW
_timeOLD different than _timeNEW
action_statusOLD = Failed and action_statusNEW IS NOT Succeeded

I hope you understand what I mean.

1 Solution

woodcock
Esteemed Legend

Avoid transaction whenever possible so try this:

... | stats values(*) dc(_time) AS numTimes earliest(status) AS firstStatus latest(status) AS lastStatus BY computer malware | where numTimes>1 and firstStatus="Falled" AND NOT lastStatus="Succeeded"

Or maybe even just this:

... | stats values(*) dc(_time) AS numTimes BY computer malware | where numTimes>1 AND status="Falled" AND NOT status="Succeeded"

View solution in original post

woodcock
Esteemed Legend

Avoid transaction whenever possible so try this:

... | stats values(*) dc(_time) AS numTimes earliest(status) AS firstStatus latest(status) AS lastStatus BY computer malware | where numTimes>1 and firstStatus="Falled" AND NOT lastStatus="Succeeded"

Or maybe even just this:

... | stats values(*) dc(_time) AS numTimes BY computer malware | where numTimes>1 AND status="Falled" AND NOT status="Succeeded"

DMohn
Motivator

You could try using the transactioncommand here ...

 your_base_search | transaction malware, computer endswith="Succeeded" keepevicted=true | search closed_txn=0
0 Karma

zimmermann_0
Engager

thanks to both, woodcock's solution seems to do what I need 🙂

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...