Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to detect a particular series of consecutive events that are interrupted by other events?

juliafum
New Member
‎09-21-2018 07:38 AM

Hello,

Is there a way to detect a particular series of consecutive events that are interrupted by other events?

I have data like...

timestamp   Event
01.01.2018  A
02.01.2018  X
03.01.2018  X
04.01.2018  B
05.01.2018  X
06.01.2018  X
07.01.2018  X
08.01.2018  B

...and I want to detect the sequences A B A, which I would add as a flag field.

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎09-21-2018 10:51 AM

There are two different parts to your question.

First, can you detect a series of events that have other events interspersed? Yes, of course.

Second, can you "mark" them or flag them? In a search, yes. However, not in terms of a data model or tags, since those are based on individual events.

In order to give you the best advices, we would need more information on the sequence. You said A > B > A, but your data shows only A > B > B.

This search is likely to use a streamstats command of some sort.

Let's suppose you only care when an A changes to B or back to A. Here's a run-anywhere example that marks the records you want to flag.

| makeresults
| eval mydata="01.01.2018,A;02.01.2018,X;03.01.2018,Q;04.01.2018,B;05.01.2018,G;06.01.2018,X;07.01.2018,R;08.01.2018,B;09.01.2018,A;"
| makemv delim=";" mydata
| mvexpand mydata
| makemv delim="," mydata
| eval _time=strptime(mvindex(mydata,0),"%m.%d.%Y")
| eval Event=mvindex(mydata,1)
| eval Host="test"
| table _time Event Host
| rename COMMENT as "The above enters your test data. We've added a key (Host) in case you have multiple sets of data at one time"

| rename COMMENT as "Mark the events we care about"
| eval checkme=case(Event="A",Event, Event="B",Event)

| rename COMMENT as "Copy the related values forward, only on the records we care about."
| streamstats current=f last(checkme) as lastcheck by Host

| rename COMMENT as "If the values exist and have changed, flag the event."
| eval flagme=case(lastcheck!=checkme,"Y")

That's it. Replace by Host with the keys you care about, or eliminate it completely if you only need to process one set of transactions at a time.

0 Karma
Reply

msivill_splunk
Splunk Employee
Splunk Employee
‎09-21-2018 10:35 AM

Is it just A -> B -> A to be detected what about B -> A -> B or any other combinations of events?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...