Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up an alert to trigger if any values change for 3 fields from the last scan and now?

kiran331
Builder
‎06-06-2016 07:12 AM

Hi all,

From a scan report of Qualys, I will get IP and its PORT, TCP_PORT, UDP_PORT. Now when the scan is done after a week, if there is any change in PORT or TCP_PORT or UDP_PORT values, an alert should be triggered. Is there a way of comparing the two results?

for Example:

index="abc" IP=10.22.23.3 | table  LAST_SCAN_DATETIME, PORT, TCP_PORT,  UDP_PORT

IP=10.22.23.3
LAST_SCAN_DATETIME      
2016-06-05T06:32:42Z    ,  PORT - 8808, 2022.   TCP_PORT-135    UDP_PORT-123

2016-05-08T06:52:25Z       PORT - 8808. TCP_PORT-135    UDP_PORT-123

A new port is added on 2016-06-05T06:32:42Z. How can I create an alert if there is any change in the values of these three fields?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 07:25 AM

Do you only want an alert if the last two scans are different?

If so try this:

 index="abc" IP=10.22.23.3 | head 2 | table PORT | transpose | where 'row 1'!='row 2'

For 3 or more past events, this solution becomes more difficult:

 index="abc" IP=10.22.23.3 | head 3 | table PORT | transpose | where 'row 1'!='row 2' OR 'row 1'!='row 3' OR 'row 2'!='row 3'

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-06-2016 07:43 AM

Try this

index="abc" IP=10.22.23.3 | timechat span=1d  dc(PORT) as Port  dc(TCP_PORT) as TCP  dc(UDP_PORT) as UDP | delta Port | delta TCP | delta UDP | addtotals | where Total!=0
0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎06-06-2016 07:25 AM

Do you only want an alert if the last two scans are different?

If so try this:

 index="abc" IP=10.22.23.3 | head 2 | table PORT | transpose | where 'row 1'!='row 2'

For 3 or more past events, this solution becomes more difficult:

 index="abc" IP=10.22.23.3 | head 3 | table PORT | transpose | where 'row 1'!='row 2' OR 'row 1'!='row 3' OR 'row 2'!='row 3'
0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎06-06-2016 07:42 AM

Thanks! Yes, i want an alert based on the last scan, But here i have 100+ of IP's and can i use more attributes PORT, TCP_PORT and UDP_PORT.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...