Finding events for users that have not been seen i...

Liran · ‎07-16-2023

I need to create a baseline for what is common in an environment before creating a rule.

The rule can be as simple as:

search index=x sourcetype=y NOT [search index=x sourcetype=y earliest=-14d  |  table user]

The issue is doing an historical search using a simple search. I've looked a few commands including transaction and streamstats but did not manage to find a way to run this search recursively.

The basic idea is to find a rare value on a specific field that is only seen less than a set threshold (e.g. 10 events) during a 14 days windows.

gcusello · ‎07-16-2023

Hi @Liran ,

please trey something like this:

index=x sourcetype=y
| eval period=if(_time>now()-864000,"last","previous")
| stats count BY period
| search period="last" count<10

in this way you tag the events in two categories: "last" (Last 10 days) and "previous".

Then you have events if in the last period there are less than a threshold (10 events).

ciao.

Giuseppe

ITWhisperer · ‎07-16-2023

Not sure what the question is here - please can you clarify / expand?

Finding events for users that have not been seen in the last X days

other

subsearch

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases