Looking for disconnection events that do NOT have ...

CMSchelin · ‎05-15-2020

The context: We have an integration between a tool and AD using agents. Every so often, the tool reports that the agent disconnected, and then about 5-20 minutes later, it'll say the agent reconnected.

I already have a search that uses transaction to get me what I need in general, but it's not quite what I'm looking for. The draft:

index="connector" eventType="ad.agent.connect"
| rex field=target "\"displayName\": \"(?<agent>[^\"]+)\".+"
| transaction agent startswith="ad.agent.disconnected" endswith="ad.agent.reconnected"
| table _time, displayMessage, agent
| sort _time

What I actually want: Only events that do not have an event "ad.agent.reconnected" within 30 minutes of the "ad.agent.disconnected" event.

maxspan isn't doing it for me; I need something more like minspan, or invert=true, or something. The agent name isn't unique enough to go "if you never see this field again".

Help?

to4kawa · ‎05-15-2020

 index="connector" eventType="ad.agent.connect"
 | rex field=target "\"displayName\": \"(?<agent>[^\"]+)\".+"
 | reverse
 | streamstats count(eval(searchmatch("ad.agent.disconnected"))) as session by agent
 | stasts min(_time) as _time range(_time) as duration by session agent

check this result, and

| where duration > 30 * 60

Looking for disconnection events that do NOT have a matching reconnection event

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!