Many thanks DalJeanis.
I am currently testing your proposal. I will come back to you as soon as I have some results.
Indeed the timeframe was selected base on the one picked for the same use case in a different platform. The three/four events are generated in less than 10 seconds, but considering possible delays or small amendments in the received time due to the ingestion into Splunk and making sure that the whole 10 seconds are covered, a timeframe of 30 seconds was taken. It's like a good compromise and it worked in the other platform.
Thanks a lot for guiding me in a different direction.
... View more
I am in the process of building a use case, which consists of 5 real-time alerts. In order to make the logic simpler, cleaner and more readable, I have created 4 eventtypes (EventA, EventB, EventC and EevntD), all belong to the same sourcetype and represent the 4 type of events that the scoped processes (the ones that we want to monitor) can generate.
There are 5 scenarios that must be alerted in real time:
(1) A process generates EventA, EventB and EventC within a period of 30 seconds.
(2) A process generates EventA, EventB and EventD within a period of 30 seconds.
(3) A process generates EventA, EventC and EventD within a period of 30 seconds.
(4) A process generates EventB, EventC and EventD within a period of 30 seconds.
(5) A process generates EventA, EventB, EventC and EventD within a period of 30 seconds.
The order of occurrence is not important. All the eventtypes must have the same process identifier (ProcessID).
I have created some logic for that but is failing. For instance, the search that I have written for the last and more important scenario is the following.
eventtype=EventA OR eventtype=EventB | transaction ProcessID| append [search eventtype=EventC] | transaction ProcessID | append [search eventtype=EventD] | transaction ProcessID
This search works if the process generates only the 4 eventtypes, but fails if more than one event of each eventtype is generated. For instance, if several EventA and several EventB are generated by the same process, this search stacks all of them and produces a result joining all of them. I would like to know if there is another way to correlate this situation and\or how can I get rid of the redundant events.
For the scenarios 1 to 4, I need to make sure in each scenario that the not included event (e.g. Scenario 1: EventD) is not generated.
I would really appreciate any kind of support. Thank you very much in advance.
... View more