How to search 5 min interval after summary index i...

gozdeyildiz · ‎12-02-2019

Hello,

I have a search that will extract a field to a summary index and I want to search that field in a specific index after 5 min
Ex;

index=applications message="Request from suspicious actor*" | fields srcIp | | collect index=siem-summary source=example-summary

then 5 min later, i would like to lookup that srcIp in network=index

Thanks in advance!

to4kawa · ‎12-02-2019

Hi, @gozdeyildiz
Assuming that a summary index is created every five minutes in reports, etc.

index=network OR (index=siem-summary source=example-summary) 
| stats dc(index) as flag by srcIp
| where flag > 1

This query provides srcIps in index network that is contains in index siem-summary.
How about this?

gozdeyildiz · ‎12-02-2019

Hi @to4kawa,

No actually, there is a search that populates summary index if there is any match. I want that search to trigger another search specific indexes after 5 min of trigger.

to4kawa · ‎12-06-2019

Splunk can set the search period.
Are you making summaries regularly?
Isn't it the same to search for a summary 5 minutes ago after 5 minutes?

How to search 5 min interval after summary index is populated

summary indexing

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024