Splunk Search
Highlighted

How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Explorer

Need to find hosts where an event of a type was not followed by event of another type within an hour

I need to find hosts where virus infection was detected and it failed to perform any action, where "None" is not followed up by of the other events " Blocked OR removed OR quarantined" in 1 hour

Fields available are

ComputerName=
VirusName= 
Action Taken=

Sample log

10/11/2014 20:01 : ComputerName=test1 VirusName=conficker  ActionTaken=None 
10/11/2014 20:02 "ComputerName=test1 VirusName=conficker  ActionTaken=blocked 
10/11/2014 22:01 : ComputerName=test20 VirusName=conficker  ActionTaken=None
10/11/2014 20:01 : ComputerName=test30 VirusName=conficker  ActionTaken=None 
10/11/2014 20:02 "ComputerName=test30 VirusName=conficker  ActionTaken=removed

As you can seen above, no action was taken by antivirus on Computer test20. I need to write a search query to create a report or dashboard to find any such machine.

Any pointers in the right direction would be appreciated

Tags (2)
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Path Finder

Would it work?

<your search here> | transaction maxspan=70m ComputerName startswith="ActionTaken=None" keepevicted=f | search NOT Blocked NOT removed NOT quarantined | table ComputerName, VirusName
0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Contributor

What Antivirus software are you using?

0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Explorer

The search ran for logs of a 1 month period with no errors but failed to retrieve any results

One machine had 3 occurrences of action taken= none and wasnt followed by any removal actions

10/11/2014 20:01 : ComputerName=test1 VirusName=conficker ActionTaken=None 
10/11/2014 20:02 "ComputerName=test1 VirusName=conficker ActionTaken=None 
10/11/2014 20:03 : ComputerName=test1 VirusName=conficker ActionTaken=None
0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Explorer

please can someone help

0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

SplunkTrust
SplunkTrust

Give this a try

your base search | transaction maxspan=60m startswith="ActionTaken=None" keeporphans=t  | where mvcount(ActionTaken) =1 AND mvindex(ActionTaken,0)="None"
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Explorer

thank you very much 🙂

It works fine

0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Explorer

Hello somesoni2 can you update the query to exclude the events where actiontaken is either partly removed or Unknown so that they show up in search

your base search | transaction maxspan=60m startswith="ActionTaken=None" keeporphans=t | where mvcount(ActionTaken) =1 AND mvindex(ActionTaken,0)="None"

0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Explorer

Hello please can you provide update

0 Karma
Highlighted

Re: How to search for hosts with an issue where a type of event was not followed by another type within an hour?

Community Manager
Community Manager

Hi @shellnight

@somesoni2 responded to the thread above with an update. Can you respond to that as a comment to confirm whether or not that updated search solves your requirement?

0 Karma