Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use eval to find the usecase?

AL3Z
Builder
‎03-30-2023 11:45 PM

Hi,
Could any one able to write the query for the use case if user triggers both alerts (alert_name="*pdm*" AND alert_name="*encrypted*") in between 2 hours

another use case is alertname!="*pdm*" if user triggers other than pdm alert in between 2 hours 

need a query for above use cases 
thanks...

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 12:13 AM

You could start by counting the alerts by user over a two hour period

| stats count by user alert_name

 Then classify the alerts

| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", like(alert_name,"%encrypted%"), "encrypted", 1==1, "notpdm")
| chart count by user alert_type
| where (pdm > 0 AND encrypted > 0) OR notpdm > 1
Reply

AL3Z
Builder
‎03-31-2023 12:35 AM

@ITWhisperer 

Hi, Could you please make search seperate as per the use case instead of all in one search

1.Use case alert_name= "*pdm*" AND alert_name="*encrypted*"

Both alerts in between 2 hours.

2. Use case alertname!="*pdm*"

Between 2 hours of period.

Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 01:10 AM 
| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", like(alert_name,"%encrypted%"), "encrypted", 1==1, "notpdm")
| chart count by user alert_type
| where pdm > 0 AND encrypted > 0
| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", like(alert_name,"%encrypted%"), "encrypted", 1==1, "notpdm")
| chart count by user alert_type
| where notpdm > 1
Reply

AL3Z
Builder
‎03-31-2023 01:36 AM

@ITWhisperer 

Second use case is like alert_ name other than pdm, dnt mention encrypted,we are not interested in encrypted alert_name in second search. 

Alert_ name!= "*pdm*"

Here we are using *pdm* coz to find the similar word pdm in alert_name 

Pls remove encrypted from query it is different alert type ,

Only need alert_name !="*pdm*"

 

Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 01:48 AM

It is a simple change - you could have done it yourself?

| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", 1==1, "notpdm")
| chart count by user alert_type
| where notpdm > 1
Reply

AL3Z
Builder
‎03-31-2023 06:45 AM

@ITWhisperer ,

Hi,

In this search you didn't mention any time interval like the period of two hours 

When the user triggers the non pdm alerts in between 2 hours of  time 

0 Karma
Reply

AL3Z
Builder
‎03-31-2023 03:13 AM

@ITWhisperer 
Could you pls check why this query is  not listing all the stats  fields in the output
index=es sourcetype=alert (alert_name!="*PDM*")
| stats earliest(_time) as incident_time,
values(severity) as severity,
values(action) as action,
values(file_type) as file_type,
values(exposure) as exposure,
values(url) as url,
values(device) as device
by user,alert_name
| eval alert_type=case(like(alert_name,"%pdm%"), "pdm", 1==1, "notpdm")
| chart count by user alert_type
| where notpdm > 1

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 03:15 AM

Try it this way

index=es sourcetype=alert NOT (alert_name="*PDM*")
Reply

AL3Z
Builder
‎03-31-2023 03:24 AM

@ITWhisperer 

Why still it is not listing out the stats fields mentioned ? What could be the reason

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 03:27 AM

The chart command has two dimensions - in your case, these are user, and alert_type, against which there is a count.

If you want more fields, don't use chart.

What are you attempting to show?

0 Karma
Reply

AL3Z
Builder
‎03-31-2023 05:16 AM

@ITWhisperer ,

Other fields as well like dlprule,filetype,incidentime

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-31-2023 07:03 AM

Don't use chart!

Try with eventstats

| eventstats count by user alert_type
| where alert_type=="notpdm" AND count > 1
0 Karma
Reply

AL3Z
Builder
‎04-03-2023 10:49 AM

@ITWhisperer ,

Pls could you make the search in between 2 hours more than 3 times if user triggers alert other than pdm

Thanks 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2023 12:45 AM

Change the timeframe of the search to be the time period you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...