I need search results involved in alerts to be available for a longer period of time than they are now (currently, nobody on my team seems to get to the alert in time to see the alerting event). I know that this question was asked before: https://answers.splunk.com/answers/440040/saving-alert-artifacts-for-longer-periods-of-time.html However, I cannot make that solution work. The solution is supposed to be that I run the alter search and set its job settings to have a longer lifetime. When I do that the setting reverts to 10m the next time I open the alert search up. in my saved search listing, I do notice that there is an advanced edit with 600+ values, including 30 ttl value. Is one of those values the right thing to set? ... View more

I have been trying to do kmeans analysis of some data. I see some of my evaluation points falling into lots of clusters, but with heavy weighting towards 1-2 clusters. Is there a way to call this out? [my search] | kmeans k=100 col1 col2 col3 | | eventstats count as clusterConnectionEvents by CLUSTERNUM | eval culusterConectionEvents=CLUSTERNUM."(".clusterConnectionEvents.")" | | stats dc(CLUSTERNUM) as clusterCount values(culusterConectionEvents) values(connectionCount) count by gives me a first item with clusterCount=26 values(clusterConnectionEvents) 1(7) 10(1) 100(14) 12(100) 14(19) 16(9) 2(50247) 20(2) 37(203) 39(122) 4(472) 40(75) 48(17) 5(2) 50(16) 52(8) 53(39) 59(8) 73(3) 74(20) 75(142) 80(2) 81(13) 83(4) 84(58) 87(96) This clearly has a huge node at cluster 2 and another clusterCount=12 values(clusterConnectionEvents) 1(4) 14(2) 16(5) 2(59) 32(3) 4(11) 48(2) 59(148) 75(170) 84(2) 87(69) 89(5) which clearly has nodes at clusters 59 and 75 (and maybe 2 and 87 as well). For other items, the nodes are less pronounced. These are less interesting to me Is there a way to score such data so that items with the vast majority of their values falling into 1-2 buckets comes to the top of a list? ... View more

I am trying to write some beaconing reports/dashboards. I have a few of them figured out, but now I am stuck trying to get a decent continuous beacon query. What I would like to do is rate connections by the number of consecutive time intervals in which they appear. Ultimately, I will use multiple intervals (1m, 15m, 30m, 1h), but for now I am just trying to solve 1 minute intervals. example data would look something like time, src_ip, dest_ip, dest_port 10/29/17 05:01 192.168.1.15 8.8.8.8 53 10/29/17 05:02 192.168.1.15 8.8.8.8 53 10/29/17 05:03 192.168.1.15 8.8.8.8 53 10/29/17 05:04 192.168.1.15 8.8.8.8 53 10/29/17 05:05 192.168.1.15 8.8.8.8 53 10/29/17 05:01 192.168.1.21 7.7.7.7 53 10/29/17 05:04 192.168.1.21 7.7.7.7 53 10/29/17 05:05 192.168.1.21 7.7.7.7 53 in the above sample data, the connection 192.168.1.15 8.8.8.8 53 should get a rank of 5 because it has traffic during 5 consecutive minutes while the connection 192.168.1.21 7.7.7.7 53 should only get a rank of 2 since its traffic only happens for 2 consecutive minutes (even though it breaks and starts back up) I tried this | tstats summariesonly=t min(_time) as sessionStart from datamodel=Network_Traffic.All_Traffic where All_Traffic.session_id!=0 by All_Traffic.user All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.session_id All_Traffic.src_port | rename All_Traffic.dest_ip as dest_ip, All_Traffic.src_ip as src_ip, All_Traffic.dest_port as dest_port | eval _time=sessionStart | bin _time span=1m | stats count as connCount by src_ip dest_ip dest_port _time | streamstats count by src_ip dest_ip dest_port reset_on_change=true (session ID is just there because both session start and session end from my firewall get mapped to Network_Traffic) This is not good enough because the streamstats doesn't know that the adjacent events are not really consecutive intervals. I could create a sequence, eval seq=_time/60 But I still don't know how to compare the current against last to figure out the count Any better ideas on how to do this? ... View more