Solved: How can I search for an event that occurred within...

NimrodSky · ‎09-16-2015

Hi,

I need to run a search on an event that will return the occasions where this event happened within 5 minutes of the last time it happened.

Would appreciate any pointers to getting this done.

Thanks

Nimrod

woodcock · ‎09-16-2015

Like this:

... | reverse | streamstats current=f last(_time) AS prevTime | eval span=_time - prevTime | where span < 300

View solution in original post

woodcock · ‎09-16-2015

Like this:

... | reverse | streamstats current=f last(_time) AS prevTime | eval span=_time - prevTime | where span < 300

NimrodSky · ‎09-17-2015

A follow up question - I want to show the previous event as well, so I'll see the two events one after the other

How do I manage this?

Thanks

woodcock · ‎09-17-2015

Either like this:

... | reverse | streamstats current=f last(_time) AS prevTime  last(_raw) AS preEvent | eval span = _time - prevTime | where span < 300

Or like ths:

... | streamstats current=f last(_time) AS nextTime | reverse | streamstats current=f last(_time) AS prevTime | eval forespan = nextTime - _time | eval backspan= _time - prevTime | where backspan < 300 OR forespan < 300

NimrodSky · ‎09-16-2015

Thanks, that's what I was looking for !

How can I search for an event that occurred within five minutes from the last time it happened?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life