Hi Splunkers,
I need your help on the following data set.
Index=auditbeat
host --> log source
command --> command run by host
_time --> _time
host1:
_time : 00.00:00 - 00.15:00 --> 15 min interval
commands run by host1 in time interval above (15 min) : ls, tar, sudo, whoami, cd, mkdir
host2:
_time : 00.00:00 - 00.15:00 --> 15 min interval
commands run by host2 in time interval above (15 min) : ls, rm, history, whoami, cd, mkdir
host3:
_time : 00.00:00 - 00.15:00 --> 15 min interval
commands run by host3 in time interval above (15 min) : ls, chown, chroot, whoami, cd, mkdir
I need to write a search which will look at each 15 min time interval, within EACH15 min time interval if any machine (host) run all these command 'whoami','chroot' and 'history', search will list the result as following
time interval -- host -- commands
Thanks for your help.
history is typically a built-in shell command, but assuming your log configuration captures all commands, including shell built-ins, you can use e.g.:
index=auditbeat
| bin _time span=15m
| stats values(command) as command by _time host
| search command=whoami command=chroot command=history
Thanks @tscroggins
"| search command=whoami command=chroot command=history" this line is looking all these commands are available in a time span( in our example 15 min) rigth?
Effectively, yes.
| bin _time span=15m
The bin command converts every time value to the prior 15 minute boundary. E.g. 00:01:01 => 00:00:00, 00:17:30 => 00:15:00, 00:32:00 => 00:30:00, and 00:59:35 => 00:45:00.
Note that binning _time in this way does not produce a rolling 15 minute window. For example, if chroot is executed at 00:59:59.999999 and whoami is executed at 01:00:00.000000, the commands will be binned into separate 15 minute intervals.
| stats values(command) as command by _time host
The stats command uses the values function to aggregate all distinct command values by _time (now binned into 15 minute buckets) and host. The resulting command field will be multi-valued, i.e. it will have one or more simultaneous values.
| search command=whoami command=chroot command=history
The search command looks for all events with command values of whoami, chroot, and history. Since command is now multi-valued, it can (and must) contain all of these values at the same time.
history is typically a built-in shell command, but assuming your log configuration captures all commands, including shell built-ins, you can use e.g.:
index=auditbeat
| bin _time span=15m
| stats values(command) as command by _time host
| search command=whoami command=chroot command=history