- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to filter my search results to only return eve...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a csv file indexed containing the fields "Timestamp" and "Event1"
Sample data is as follows
Timestamp Event1
time1 25
time2 29
time3 35
time4 36
timen-1 34
timen 35
I want to extract events where the Event1 value is > 35 for continuous duration of at least 10 minutes. This will be help find out what the start time of an event is when value at > 35 and the value remained > 35 for 10 minutes or more
Can some one help me with search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (assuming
If the field Timestamp is not in epoch format and its in the formst (%d-%b-%y %H:%M %p), change as per your data
your base search giving Timestamp, Event1 | eval _time=strptime(Timestamp,"%d-%b-%y %H:%M %p") | eval Type=if(Event1>=35,1,0) | streamstats current=f window=1 first(Type) as previous | eval temp=if(Type=previous,0,1) | accum temp | eventstats max(_time) as max min(_time) as min by temp | eval duration=(max-min)/600 | where duration>=1 | table _time Event1 duration
If Timestamp is epoch
your base search giving Timestamp, Event1 | eval _time=Timestamp | eval Type=if(Event1>=35,1,0) | streamstats current=f window=1 first(Type) as previous | eval temp=if(Type=previous,0,1) | accum temp | eventstats max(_time) as max min(_time) as min by temp | eval duration=(max-min)/600 | where duration>=1 | table _time Event1 duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (assuming
If the field Timestamp is not in epoch format and its in the formst (%d-%b-%y %H:%M %p), change as per your data
your base search giving Timestamp, Event1 | eval _time=strptime(Timestamp,"%d-%b-%y %H:%M %p") | eval Type=if(Event1>=35,1,0) | streamstats current=f window=1 first(Type) as previous | eval temp=if(Type=previous,0,1) | accum temp | eventstats max(_time) as max min(_time) as min by temp | eval duration=(max-min)/600 | where duration>=1 | table _time Event1 duration
If Timestamp is epoch
your base search giving Timestamp, Event1 | eval _time=Timestamp | eval Type=if(Event1>=35,1,0) | streamstats current=f window=1 first(Type) as previous | eval temp=if(Type=previous,0,1) | accum temp | eventstats max(_time) as max min(_time) as min by temp | eval duration=(max-min)/600 | where duration>=1 | table _time Event1 duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Works. Thanks for the help
Made a small change.
your base search giving Timestamp, Event1 | eval _time=Timestamp | eval Type=if(Event1>=35,1,0) | streamstats current=f window=1 first(Type) as previous | eval temp=if(Type=previous,0,1) | accum temp as tempcount | eventstats max(_time) as max min(_time) as min by tempcount | eval duration=(max-min)/600 | where duration>=1 | table _time Event1 duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should just run a search and use a WHERE clause, take a look at the implementation;
search ... | table Timestamp, Event1 | WHERE (Event1 > 35) AND ()
You will have to come up with what you're looking for inside the last brackets, as I'm not too sure what else you want in there.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
