Re: Zero events monitoring in chart

ejpulsar · ‎10-14-2013

Hi!

I need to build realtime search which tracks if NO events with particular P_LOGIN_NAME are received in last 15 minutes.
But the core problem is: if no events, there are no these lines in chart.

1) I have events with fields

P_LOGIN_NAME=STRING1 status=200    
P_LOGIN_NAME=STRING1 status=404    
P_LOGIN_NAME=STRING3 status=200    
LOGIN=STRING4 status=200

2) My realtime core search (rt-15m) with some enrichment with external csv:

source="Apache_dealers_pays_logs" status=200 OR status=404 | 
eval P_LOGIN_NAME=coalesce(P_LOGIN_NAME,LOGIN) |
chart count OVER P_LOGIN_NAME by status

3) It works flawlessly until no events in past 15 minutes present by P_LOGIN_NAME. I tried to avoid it by csv with all P_LOGIN_NAME:

source="Apache_dealers_pays_logs" status=200 OR status=404  | 
eval P_LOGIN_NAME=coalesce(P_LOGIN_NAME,LOGIN) |
chart count OVER P_LOGIN_NAME by status | 
JOIN type=outer P_LOGIN_NAME [ | inputcsv PLATEZHI_KASSY_Description.csv | table P_LOGIN_NAME ]

4)
First trouble: I still didn't see joined rows with empty fields.
Second trouble: I did not know, how it will be work in rt search.

ayme · ‎10-18-2013

Appending lookups doesn't work with RT as you say I think. The only thing I think I can suggest is that every 15 minutes you inject the list of all the P_LOGIN_NAMEs into Splunk (you can use a scheduled search and pump it into a summary Index). Then you're RT search would be:

(source="Apache_dealers_pays_logs" status=200 OR status=404) OR (index=my_summary_users_list_index) | 
eval P_LOGIN_NAME=coalesce(P_LOGIN_NAME,LOGIN) | eval status=if(isnull(status),"n/a",status) | chart dc(sourcetype) over P_LOGIN_NAME by status

Zero events monitoring in chart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?