Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need a query to run until it gets results and stop once those results are found.

AlexBryant
Path Finder
‎02-13-2015 07:52 AM

I need to perform forensic analysis on compromised computers, but they are sometimes not online anymore by the time I've seen the AV alert and have Encase up and running. It would be extremely helpful if Splunk could search for that computer (ping, Windows Security events, whatever) email me when the appropriate traffic is observed, and then stop the search.

Detecting traffic from the computer and sending the email is no problem - it's how to get the search to stop once the target computer is online that has me stumped. Ideally, I would type something like 'sourcetype="IsOnline" hostname="HackedPC" notify="MyEmail@company.com"', and the search would run until I get the email, without my having to stop it manually.

Thanks!

Tags (1)
0 Karma
Reply

tpflicke
Path Finder
‎02-13-2015 03:07 PM

One approach would be to set the alert action for your search to a script.
The script can then send you an email and also interact with Splunk via the REST API.

http://dev.splunk.com/view/SP-CAAADQ5 provides an example for disabling a search via the API:

curl  -k -u admin:changeme  -d "disabled=1" -d 'search="fail+OR+error"' https://localhost:8089/servicesNS/admin/search/saved/searches/web_errors

You also create, delete and otherwise manipulate saved searches without having to interact with the UI.
It's also possible just disable the alert action.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...