- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Query to compute the count of consecutive h...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have data like this...
- Date - Hour - Sample Number
- 05/01/2014 - 10 - 200
- 05/01/2014 - 11 - 201
- 05/01/2014 - 12 - 202
- 05/01/2014 - 15 - 205
- 05/01/2014 - 16 - 206
- 05/01/2014 - 20 - 210
On 05/01/2014 the max number of consecutive hourly violations i.e. sample 200,201,202 is 3 and occurred between hours 10 to 12.
I have data like this for each day for a month.
I need a splunk query to computer the per day max consecutive hourly violations and the time range between in which it occurred.
Similarly for the entire month I would like the date in which the max number of hourly violations occurred for the month and time range of day.
Any help will be appreciated.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This solution assumes that your event timestamp (_time) corresponds to the Date and Hour in your events.
yoursearchhere
| transaction Date maxpause=61m
| eval earliestHour=strftime(_time,"%H")
| eval latestHour=strftime(_time+duration,"%H")
| eval errorCount = eventcount
| table Date earliestHour latestHour errorCount
| sort Date -errorCount
| dedup Date
This should work great as long as you have less than 1000 events per Date. Otherwise, Splunk can get a little picky about compiling the transactions - and at that point the solution might start to slow down anyway.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This solution assumes that your event timestamp (_time) corresponds to the Date and Hour in your events.
yoursearchhere
| transaction Date maxpause=61m
| eval earliestHour=strftime(_time,"%H")
| eval latestHour=strftime(_time+duration,"%H")
| eval errorCount = eventcount
| table Date earliestHour latestHour errorCount
| sort Date -errorCount
| dedup Date
This should work great as long as you have less than 1000 events per Date. Otherwise, Splunk can get a little picky about compiling the transactions - and at that point the solution might start to slow down anyway.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lguinn2
I have a query, there is a table where we have the job_result column, if we get consective 5 jobs failed then we need to be alerted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome lguinn! Works well. Great Insight.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
