- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Show events that occur in particular order
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm fairly new to splunk and was wondering if someone could point me in the direction I need to go. I'm having trouble with making searches that will show when event A occurs and then event B occurs after within a time frame. The after part is crucial as the inverse occurrence is less important to us.
Some examples:
- A system has a log in the antivirus malware index then within a short period of time has over 100 blocked websites (logs in proxy index)
- A system has downloaded a file (logs in proxy index) then within a short period of time has over 100 blocked websites (logs in proxy index)
- A system has a log in the ids index then within a short period of time has excessive blocks on the firewall (logs in firewall index)
I don't need help formulating the pieces of the search, such as how to find if there are 100 blocked sites or if a file was downloaded. The bigger issue is how do I say if event A and after event B occurs within a specific time range.
Thanks,
Kim
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The join command can be used to combine the results of two searches - and to restrict the time-ordering. Usually I suggest that people try to combine searches and avoid join, since it can be slow.
But for this situation, the join command might be helpful and easier than something like delta. This kind of search might do what you want...
index=antivirus "malware event"
| join host usetime=T earlier=F [ search index=proxy "blocked event"
| stats count earliest(_time) as _time by host
| where count > 100 ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The join command can be used to combine the results of two searches - and to restrict the time-ordering. Usually I suggest that people try to combine searches and avoid join, since it can be slow.
But for this situation, the join command might be helpful and easier than something like delta. This kind of search might do what you want...
index=antivirus "malware event"
| join host usetime=T earlier=F [ search index=proxy "blocked event"
| stats count earliest(_time) as _time by host
| where count > 100 ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use delta command on _time field to calculate time difference between two events. Once you filter the events you need and calculate time difference, (+ve time diff means they occurred after each other) and do more processing. More details of search/data will be helpful here to provide more to the point answers.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
