Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for ValueA, look ahead to the following 20 events, and return results if there is no corresponding ValueB?

amljohnson
Explorer
‎10-20-2015 10:23 AM

This is probably a very basic Splunk question, but as I move beyond basic searches, these are the kinds of use cases I'm needing help with:

Here's the scenario:

field sc_status contains the HTTP response code (either 401 or 200 in this case)

A successful Kerberos authentication is going to show a 401 response (auth challenge) followed by a corresponding 200 response when the auth occurs successfully.

An error condition exists if multiple 401 responses exist in the logs (lets say 20 or more) without a corresponding 200 response.

So - to show these in a search (or an alert), I need to be able to: find a 401 response, lookahead to the subsequent 20 events, and return results if there's not a corresponding 200 message.

The transaction command works great at grouping events into 401/200 login events, but is there a way to show 401s that AREN'T captured by the transaction?

Thanks in advance...

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎10-20-2015 11:34 AM

Assuming you already have your events in an appropriate order, i.e. sorted by time and an ip adress or something like that, this should do it:

... | eval 200_event=if(sc_status=="200",1,0) | streamstats sum(200_event) as id | streamstats count as attempts by id | where attempts>=20

For demo:

* | stats count | fields - count | eval sc_status="401,200,401,401,401,401,401,200,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,401,404,200" | makemv delim="," sc_status | mvexpand sc_status | eval 200_event=if(sc_status=="200",1,0) | streamstats sum(200_event) as id | streamstats count as attempts by id

There may be better approaches though, this is just straightforward what you described.

0 Karma
Reply

amljohnson
Explorer
‎10-21-2015 09:19 AM

Thanks for the help!

Though it looks like your evaluation looks for 20 200 events rather than 401s? Perhaps you can explain in plain language what you're doing with this query?

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎10-21-2015 09:32 AM

Ah! You're right, I switched the two cases in the if statement around. Sorry for that, I just edited the original post. It should now work as intended, which is in plain language this: You eval a field "200_event" to contain a 1 each time a successfull login takes place, and then you keep a running total (the "id" field) of these events. This is useful because each time you have one of those 200 events, you can conclude that the last 401 has successfully been answered. This in turn means that a running count of the same attempt without a successful 200 answer (i.e. no change in the "id" field) can help you track down someone with multiple unsuccessful attempts.

If that didn't clear things up enough, feel free to ask further 🙂

0 Karma
Reply

somesoni2
Revered Legend
‎10-20-2015 10:51 AM

Have you tried transaction command with option maxevents?? There are options in transaction command to keep events which do not form transaction.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...