I am looking to create a unique alert that would look at virus activity. The idea is to get a real time alert in a 60 second window if the field signature is reoccurring across two separate logs that both have different (computer_name) which could signal an outbreak possibly.
signature is the indicator of what type of virus it is and computer_name is the comp name.
This is the general idea: ...| bucket _time span=1m | dedup signature | (Only return results if computer_name has different results) | count >2
I cant seem to figure out a splunk command to only return results if the computer_name field does not have a unique specific name. I know I could utilize != but not sure what command would help me with this.
How about something like this.
...| bucket _time span=1m | stats count(computer_name) as computerCount by signature | where computerCount > 2 | ...
How about something like this.
...| bucket _time span=1m | stats count(computer_name) as computerCount by signature | where computerCount > 2 | ...
Not sure if it works. Its saying there are events but no results are being outputted
Try my modified answer.
The logic makes sense but Splunk says I have 8 results but nothing being outputted. Just running a basic query against the source type I have the same amount of events in a given period as what the alert is telling me
If you add table computer_name computerCount
after the where
command, do you see output? Do you see events in Verbose Mode?
I get a count of computers but nothing on the left hand side under computer_name
Try changing the stats command to stats values(computer_name) as Computers count(computer_name) as computerCount by signature
.
Seems I have solid output. Over a given 24 hours I have 4 different signatures where each signature has multiple computers and on the right hand side is a total count. What seems weird is if there are only 2 computers for one signature the total computer count is 15. This probably means 15 total events in-between those two 2 computers.
What I am seeing though is one signature for one computer. I should only be seeing output if there are a total of two computers found for that signature. computerCount >2 should be taking care of that it seems.
Edit: Just noticed computerCount >2 will activate if one computer pops up multiple times in a 60 second window
Got it. Verified the results and im good to go. Thanks!