Splunk Search

Returning results only if field has more than one unique name

santorof
Communicator

I am looking to create a unique alert that would look at virus activity. The idea is to get a real time alert in a 60 second window if the field signature is reoccurring across two separate logs that both have different (computer_name) which could signal an outbreak possibly.

signature is the indicator of what type of virus it is and computer_name is the comp name.
This is the general idea: ...| bucket _time span=1m | dedup signature | (Only return results if computer_name has different results) | count >2

I cant seem to figure out a splunk command to only return results if the computer_name field does not have a unique specific name. I know I could utilize != but not sure what command would help me with this.

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

How about something like this.

...| bucket _time span=1m | stats count(computer_name) as computerCount by signature | where computerCount > 2 | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How about something like this.

...| bucket _time span=1m | stats count(computer_name) as computerCount by signature | where computerCount > 2 | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

santorof
Communicator

Not sure if it works. Its saying there are events but no results are being outputted

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try my modified answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

santorof
Communicator

The logic makes sense but Splunk says I have 8 results but nothing being outputted. Just running a basic query against the source type I have the same amount of events in a given period as what the alert is telling me

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you add table computer_name computerCount after the where command, do you see output? Do you see events in Verbose Mode?

---
If this reply helps you, Karma would be appreciated.
0 Karma

santorof
Communicator

I get a count of computers but nothing on the left hand side under computer_name

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try changing the stats command to stats values(computer_name) as Computers count(computer_name) as computerCount by signature.

---
If this reply helps you, Karma would be appreciated.
0 Karma

santorof
Communicator

Seems I have solid output. Over a given 24 hours I have 4 different signatures where each signature has multiple computers and on the right hand side is a total count. What seems weird is if there are only 2 computers for one signature the total computer count is 15. This probably means 15 total events in-between those two 2 computers.

What I am seeing though is one signature for one computer. I should only be seeing output if there are a total of two computers found for that signature. computerCount >2 should be taking care of that it seems.

Edit: Just noticed computerCount >2 will activate if one computer pops up multiple times in a 60 second window

0 Karma

santorof
Communicator

Got it. Verified the results and im good to go. Thanks!

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...