- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Number of aggregated events per username in a time...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to monitor for higher than threshold number of events per user.
Alert is run once in an hour and I need to inspect every X minute window in the previous hour for number of occurrences higher than allowed threshold (5 here).
index="someindex" | search event="Event-Indicating-String" |
stats count(eval(event)) as occurrences by offender |
where occurrences > 5 |
table offender occurrencesI have available timestamp (in seconds) for every event before I aggregate them.
How do I go about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for fast reply. Is it possible that the last condition (where occurrences) cannot be used like that?
When I use the timechart part (for testing purposes, I am now specifying window of 5y to cover all the data), I get single line for current year (colum name _time) and every other column is named after offender with value being the number of occurrences.
When I append the `where occurrences > 5`, I get no results at all.
EDIT: Turns out the where class should be used as a part of the timechart query... and also, that for alerting with set up to alert on more than 0 records, useother=false should be used.
So the final solution was like this:
index="someindex" event="Event-Indicating-String"
| timechart span=5m count as occurrences by offender useother=false WHERE count > 5- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @LegalPrime,
you should try the timechart command:
index="someindex" event="Event-Indicating-String"
| timechart span=5m count as occurrences by offender
| where occurrences > 5 In this example the thresshold is 5 occurrences and the span is 5 minutes, bith of them are obviously configurable.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for fast reply. Is it possible that the last condition (where occurrences) cannot be used like that?
When I use the timechart part (for testing purposes, I am now specifying window of 5y to cover all the data), I get single line for current year (colum name _time) and every other column is named after offender with value being the number of occurrences.
When I append the `where occurrences > 5`, I get no results at all.
EDIT: Turns out the where class should be used as a part of the timechart query... and also, that for alerting with set up to alert on more than 0 records, useother=false should be used.
So the final solution was like this:
index="someindex" event="Event-Indicating-String"
| timechart span=5m count as occurrences by offender useother=false WHERE count > 5
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
