How to edit my search to only return results that ...

CREVITCH · ‎01-12-2016

I would like to issue the following search, but only get results that exceed a count within a time window. I see how to set an alert to do this, but I just want to search my current stored events. How do I do this in a search?

user=* action=* | stats count by user, action

somesoni2 · ‎01-12-2016

Did you try adding a where clause in the end to compare count with your threshold?

Like
your current search ...| where count > yourthreshould

CREVITCH · ‎01-13-2016

Thanks. Is there a way to do this for count over a moving time window for stored events? Right now the count is the total over the interval defined by the time range picker. In other words, is there a way to count events by user that exceed a threshold within a moving 5 minute time window over my event history?

CREVITCH · ‎01-13-2016

your current search ...| where count > [ search your search to get get threshold for move 5 min window | return $yourthreshold ]

This looks like what I want but not sure of the syntax. I am fine with a fixed thresshold. How do I search for a count of events in a moving 5 minute window that have the string "failed", and output the count when it exceeds a fixed thresshold?

somesoni2 · ‎01-13-2016

You can use a subsearch to get the value of yourthreshold to be used. In you subsearch, write your search to get threshold for move 5 min window.

your current search ...| where count > [ search your search to get  get threshold for move 5 min window | return $yourthreshold ]

How to edit my search to only return results that exceed a certain count within a time window?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!