Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use eval to find the usecase?

AL3Z
Builder
‎03-30-2023 11:45 PM

Hi,
Could any one able to write the query for the use case if user triggers both alerts (alert_name="*pdm*" AND alert_name="*encrypted*") in between 2 hours

another use case is alertname!="*pdm*" if user triggers other than pdm alert in between 2 hours 

need a query for above use cases 
thanks...

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 12:13 AM

You could start by counting the alerts by user over a two hour period

| stats count by user alert_name

 Then classify the alerts

| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", like(alert_name,"%encrypted%"), "encrypted", 1==1, "notpdm")
| chart count by user alert_type
| where (pdm > 0 AND encrypted > 0) OR notpdm > 1
Reply

AL3Z
Builder
‎03-31-2023 12:35 AM

@ITWhisperer 

Hi, Could you please make search seperate as per the use case instead of all in one search

1.Use case alert_name= "*pdm*" AND alert_name="*encrypted*"

Both alerts in between 2 hours.

2. Use case alertname!="*pdm*"

Between 2 hours of period.

Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 01:10 AM 
| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", like(alert_name,"%encrypted%"), "encrypted", 1==1, "notpdm")
| chart count by user alert_type
| where pdm > 0 AND encrypted > 0
| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", like(alert_name,"%encrypted%"), "encrypted", 1==1, "notpdm")
| chart count by user alert_type
| where notpdm > 1
Reply

AL3Z
Builder
‎03-31-2023 01:36 AM

@ITWhisperer 

Second use case is like alert_ name other than pdm, dnt mention encrypted,we are not interested in encrypted alert_name in second search. 

Alert_ name!= "*pdm*"

Here we are using *pdm* coz to find the similar word pdm in alert_name 

Pls remove encrypted from query it is different alert type ,

Only need alert_name !="*pdm*"

 

Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 01:48 AM

It is a simple change - you could have done it yourself?

| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", 1==1, "notpdm")
| chart count by user alert_type
| where notpdm > 1
Reply

AL3Z
Builder
‎03-31-2023 06:45 AM

@ITWhisperer ,

Hi,

In this search you didn't mention any time interval like the period of two hours 

When the user triggers the non pdm alerts in between 2 hours of  time 

0 Karma
Reply

AL3Z
Builder
‎03-31-2023 03:13 AM

@ITWhisperer 
Could you pls check why this query is  not listing all the stats  fields in the output
index=es sourcetype=alert (alert_name!="*PDM*")
| stats earliest(_time) as incident_time,
values(severity) as severity,
values(action) as action,
values(file_type) as file_type,
values(exposure) as exposure,
values(url) as url,
values(device) as device
by user,alert_name
| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", 1==1, "notpdm")
| chart count by user alert_type
| where notpdm > 1

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 03:15 AM

Try it this way

index=es sourcetype=alert NOT (alert_name="*PDM*")
Reply

AL3Z
Builder
‎03-31-2023 03:24 AM

@ITWhisperer 

Why still it is not listing out the stats fields mentioned ? What could be the reason

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 03:27 AM

The chart command has two dimensions - in your case, these are user, and alert_type, against which there is a count.

If you want more fields, don't use chart.

What are you attempting to show?

0 Karma
Reply

AL3Z
Builder
‎03-31-2023 05:16 AM

@ITWhisperer ,

Other fields as well like dlprule,filetype,incidentime

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 07:03 AM

Don't use chart!

Try with eventstats

| eventstats count by user alert_type
| where alert_type=="notpdm" AND count > 1
0 Karma
Reply

AL3Z
Builder
‎04-03-2023 10:49 AM

@ITWhisperer ,

Pls could you make the search in between 2 hours more than 3 times if user triggers alert other than pdm

Thanks 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 12:45 AM

Change the timeframe of the search to be the time period you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...