Trigger An Alert For Any Unique/New Incoming Events OR Results
Today we will take a look towards an alerting issue, where everyone is looking for a solution. I.e. we will create an alert which will trigger only if unique/new results are received.
Suppose we have a data from our website which is basically giving us information about all the users, trying to login using their credentials. Now we will try to create an alert that will trigger if only a new user is trying to login to our website. That means alert will only trigger if a new user is trying to log in using a new username.
Here we have data in an index called “test_index” and “web_data” is the sourcetype. Where we are getting username of each existing user and the country name from where they are logging in.
Step 1:
Now at first, we will create a lookup with already existing data.
index="test_index" sourcetype="web_data"
| stats count by username country
| eval match="yes"
| outputlookup username.csv
Explanation:
Using the “stats” command we calculated the number of times one user is logged in into our website with “username” and “country” details. Then we created a field called “match” using “eval” command also put a string called “yes” , which we will use as a reference field later while comparing with our indexed data. After that using “outputlookup” command we saved that result in a lookup file named “username.csv”.
Now if you search
| inputlookup username.csv
You will find the content of the “username.csv” lookup.
Step 2:
Now we will create an alert. Before creating the alert we will prepare the search string of the alert.
index="test_index" sourcetype="web_data"
|stats count by username country
| lookup username.csv username OUTPUTNEW country match
|search NOT match="yes"
| eval match="yes"
| outputlookup append=t username.csv
|fields - count match
Explanation:
Using the “stats” command we calculated the number of times one user is logged in into our website with “username” and “country” details. Then we have used the “lookup” command and we have used “username” as a matching field between “username.csv” and our indexed data. Which will bring all the usernames from lookup and index, and then we have used the ”outputnew” attribute to bring the country details of those usernames which are missing in lookup, which means for newly updated usernames. Then we are searching for those usernames where we don’t have match=yes, i.e. it will fetch only newly updated usernames because for the new users there won’t be any entry in the lookup file. After that using “eval“ command we have created a filed called “match” with values “yes” and using “outputlookup” command we added that new username in our lookup file “username.csv” (here we have used “append=t” that means new data will be appended with the existing data). We must have to update the lookup file in this way because this user will be existing user for the next time. Finally using “fields” command we excluded “count” and “match” fields from the results.
Now we will save this as an alert.
Go to Settings > Searches, reports, and alerts > New alert
Now Create the alert, give any title, and paste the search string, and rest is mentioned below.
Finally, Save it and processed further.
Result:
Now, whenever it will receive any unique username alert will trigger.
If you see carefully that alert was triggered for a new username called “StromBreaker_red” from “CMR” country.
Hope you have understood the topic: Trigger An Alert For Any Unique/New Incoming Events OR Results
Happy Splunking !!!
