Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for hosts with an issue where a type of event was not followed by another type within an hour?

shellnight
Explorer
‎11-24-2014 03:17 AM

Need to find hosts where an event of a type was not followed by event of another type within an hour

I need to find hosts where virus infection was detected and it failed to perform any action, where "None" is not followed up by of the other events " Blocked OR removed OR quarantined" in 1 hour

Fields available are 

ComputerName=
VirusName= 
Action Taken=

Sample log

10/11/2014 20:01 : ComputerName=test1 VirusName=conficker  ActionTaken=None 
10/11/2014 20:02 "ComputerName=test1 VirusName=conficker  ActionTaken=blocked 
10/11/2014 22:01 : ComputerName=test20 VirusName=conficker  ActionTaken=None
10/11/2014 20:01 : ComputerName=test30 VirusName=conficker  ActionTaken=None 
10/11/2014 20:02 "ComputerName=test30 VirusName=conficker  ActionTaken=removed

As you can seen above, no action was taken by antivirus on Computer test20. I need to write a search query to create a report or dashboard to find any such machine.

Any pointers in the right direction would be appreciated

Tags (2)
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...