Splunk Search

Looking for disconnection events that do NOT have a matching reconnection event

Path Finder

The context: We have an integration between a tool and AD using agents. Every so often, the tool reports that the agent disconnected, and then about 5-20 minutes later, it'll say the agent reconnected.

I already have a search that uses transaction to get me what I need in general, but it's not quite what I'm looking for. The draft:

index="connector" eventType="ad.agent.connect"
| rex field=target "\"displayName\": \"(?<agent>[^\"]+)\".+"
| transaction agent startswith="ad.agent.disconnected" endswith="ad.agent.reconnected"
| table _time, displayMessage, agent
| sort _time

What I actually want: Only events that do not have an event "ad.agent.reconnected" within 30 minutes of the "ad.agent.disconnected" event.

maxspan isn't doing it for me; I need something more like minspan, or invert=true, or something. The agent name isn't unique enough to go "if you never see this field again".


0 Karma

Ultra Champion
 index="connector" eventType="ad.agent.connect"
 | rex field=target "\"displayName\": \"(?<agent>[^\"]+)\".+"
 | reverse
 | streamstats count(eval(searchmatch("ad.agent.disconnected"))) as session by agent
 | stasts min(_time) as _time range(_time) as duration by session agent 

check this result, and

| where duration > 30 * 60 
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...