Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Number of aggregated events per username in a time window

LegalPrime
Path Finder
‎12-04-2020 07:52 AM

I am trying to monitor for higher than threshold number of events per user.

 

Alert is run once in an hour and I need to inspect every X minute window in the previous hour for number of occurrences higher than allowed threshold (5 here).

index="someindex" | search event="Event-Indicating-String" |
stats count(eval(event)) as occurrences by offender |
where occurrences > 5 |
table offender occurrences

I have available timestamp (in seconds) for every event before I aggregate them.

 

How do I go about this?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LegalPrime
Path Finder
‎12-04-2020 08:25 AM

Hi, thank you for fast reply. Is it possible that the last condition (where occurrences) cannot be used like that?

 

When I use the timechart part (for testing purposes, I am now specifying window of 5y to cover all the data), I get single line for current year (colum name _time) and every other column is named after offender with value being the number of occurrences.

When I append the `where occurrences > 5`, I get no results at all.

 

EDIT: Turns out the where class should be used as a part of the timechart query... and also, that for alerting with set up to alert on more than 0 records, useother=false should be used.

 

So the final solution was like this:

index="someindex" event="Event-Indicating-String" 
| timechart span=5m count as occurrences by offender useother=false WHERE count > 5

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-04-2020 08:07 AM

Hi @LegalPrime,

you should try the timechart command:

index="someindex" event="Event-Indicating-String" 
| timechart span=5m count as occurrences by offender 
| where occurrences > 5

In this example the thresshold is 5 occurrences and the span is 5 minutes, bith of them are obviously configurable.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

LegalPrime
Path Finder
‎12-04-2020 08:25 AM

Hi, thank you for fast reply. Is it possible that the last condition (where occurrences) cannot be used like that?

 

When I use the timechart part (for testing purposes, I am now specifying window of 5y to cover all the data), I get single line for current year (colum name _time) and every other column is named after offender with value being the number of occurrences.

When I append the `where occurrences > 5`, I get no results at all.

 

EDIT: Turns out the where class should be used as a part of the timechart query... and also, that for alerting with set up to alert on more than 0 records, useother=false should be used.

 

So the final solution was like this:

index="someindex" event="Event-Indicating-String" 
| timechart span=5m count as occurrences by offender useother=false WHERE count > 5
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...