Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to start and stop a search based on certain criteria?

jhilton90
Path Finder
‎03-03-2023 03:29 AM

Short Description

In short we have a particular search that we want to run during a specific period, and we want that search to stop after that specific period.

Long Description

We are trying to introduce some automation into our Splunk searches at the moment and one of the searches we are looking to automate forms part of our call out process. We get called out for a specific event where we then have to run a few searches and set the time frame manually. 

The event that we get called out for is triggered once the LoginLimit > 30 which we can view on a line graph. We know the event has ended because the LoginLimit falls back below 30.

What we are trying to achieve is to somehow automate the searches when the LoginLimit > 30 and stop the search once the LoginLimit < 30 again. Then output the results.

Hopefully I've articulated this as clearly as possible, but if not I'll do my best to clear things up

Labels (3)
Labels
0 Karma
Reply

shivanshu1593
Builder
‎03-03-2023 05:16 AM

Could you please tell us bit more about what else does that search do apart from looking for LoginLimit > 30? Also, once the said duration is over, would you like to see the output in the form of an email or in a dashboard etc?

The reason behind asking these questions is to better understand the requirement. If you'd like to see the output of the search after the duration is over in an email, then just scheduling the search with a targeted time range and cron can help you to run it automatically and the results of each iteration can be put into a static lookup. Then another search can be scheduled and configured after the event is over, which will basically pull the results of the lookup and send it to you over email.

If the requirement is to do something else, then a solution for that can be designed accordingly.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

jhilton90
Path Finder
‎03-03-2023 05:24 AM

So it's to do with our credential stuffing process. The Splunk search should capture the login attempts during an attack, which can last from 2 minutes to 10 minutes. Originally we had as a time based search, but the metrics kept getting skewed because of how long some of the attacks were taking.

We would ideally like to see output in the form of an email, but we have this process already in place

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...