Index=auditbeat host --> log source command --> command run by host _time --> _time
host1: _time : 00.00:00 - 00.15:00 --> 15 min interval commands run by host1 in time interval above (15 min) : ls, tar, sudo, whoami, cd, mkdir
host2: _time : 00.00:00 - 00.15:00 --> 15 min interval commands run by host2 in time interval above (15 min) : ls, rm, history, whoami, cd, mkdir
host3: _time : 00.00:00 - 00.15:00 --> 15 min interval commands run by host3 in time interval above (15 min) : ls, chown, chroot, whoami, cd, mkdir
I need to write a search which will look at each 15 min time interval, within EACH15 min time interval if any machine (host) run all these command 'whoami','chroot' and 'history', search will list the result as following
The bin command converts every time value to the prior 15 minute boundary. E.g. 00:01:01 => 00:00:00, 00:17:30 => 00:15:00, 00:32:00 => 00:30:00, and 00:59:35 => 00:45:00.
Note that binning _time in this way does not produce a rolling 15 minute window. For example, if chroot is executed at 00:59:59.999999 and whoami is executed at 01:00:00.000000, the commands will be binned into separate 15 minute intervals.
| stats values(command) as command by _time host
The stats command uses the values function to aggregate all distinct command values by _time (now binned into 15 minute buckets) and host. The resulting command field will be multi-valued, i.e. it will have one or more simultaneous values.