Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
You need to get the first 3 events after a particular event (for example, a login event) — for the events related to a particular user — but there is no well-defined ending event.
Given the following ideal transaction that starts with a login action:
[1] 10:11:12 userid=root action=login [2] 10:11:13 userid=root action=”cd /” [3] 10:11:14 userid=root action=”rm -rf *” [4] 10:11:15 userid=root server=”echo lol”
The obvious search choice is to use transaction that starts with the login action:
... | transaction userid startswith="(action=login)" maxevents=4
The problem is that you will get transactions that don’t have action=login. Why? The startswith option does not tell transaction to return only transactions that actually begin with the string you’re supplying. Rather it tells transaction that when it encounters a line that matches the startswith directive, it is the beginning of a new transaction. However, transactions will also be made for different values of userid, regardless of the startswith condition.
To avoid this, add a filtering search command after the transaction search above:
... | search action=login
The transactions returned will start with action=login and include the next three events for the userid.
Note: If there are less than three events between two logins, the transaction will be smaller than 4 events. The transaction command adds an eventcount field to each transaction, which you can then use to further filter transactions.
----------------------------------------------------
Thanks!
David Carasso
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.