Getting Data In

How can I Filter search results to only show sequential time buckets?

jedatt01
Builder

I have the need to filter the results of my search to only show 30 minutes of consecutive 5 minute time buckets. In other words, 6 consecutive time buckets.

Example of results I want to see
_time Event
9:00 am. My event
9:05 am. My event
9:10 am. My event
9:15 am. My event
9:20 am My event
9:25 am. My event

But, I do not want to show any results of it is like below

_time. Event
6:35 am. My event
6:40 am My event
9:05 am. My event
9:10 am My event

Also one additional caveat. It is possible that my results could show 6 sequential buckets and more events that are not sequential because my time range is 12 hours. In this case o want to cut out the non sequential buckets and only display of there are 6 sequential buckets.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Do you mean your time selector is set to 12 hours, but you only want to display 30 minutes of that?

One way to do this is by overriding the time range selector.

... othersearchterms earliest=-30m@m ... | other search stuff

There's an equivalent latest=x command too, so 60 minutes to 30 minutes ago would be earliest=-60m latest=-30m. You can snap them to minutes or do other time manipulation.

If instead you don't know which time frame ahead of time, then we may need a bit more information. Like, which set of 6 times do you want - any sequence of 6 in a row? Only a particular sequence of 6 in a row (and how do you know which one you want)? A sliding window of the sum/total/whatever of the previous 6? An example that covers that specifically would be very helpful if that's the case.

0 Karma

jedatt01
Builder

I have the timerange set to 12 hours because my search is trying to detect a pattern of events in the last 12 hours. But, i'm only interested in seeing results when that pattern is detected for 30 minutes straight (6 consecutive 5 min time buckets)

0 Karma

jkat54
SplunkTrust
SplunkTrust

Hi, three examples are below. You can google each command to get more details. There are other options like min-span and more.

 ...|timechart bins=6 ...   (Time picker set to last 30min)

 ...|timechart span=5m ...

 ...|bin span=5m|...
0 Karma

jkat54
SplunkTrust
SplunkTrust

For the six consecutive request... You'd have to use some additional logic / magic. Something like using transaction and the span of time equal to 30 minutes then a mvzip followed by a mvexpand and then a where count > 5

0 Karma

jedatt01
Builder

This almost works! The only problem I have with using timechart is that sometimes my 6 time buckets might be split between two span buckets. For instance the first of the six events starts at 9:50 and goes to 10:15.

In that case I will have six consecutive 5 minute buckets but they will be split into 2 different 30 minute buckets.

ex.
_time bucket_count
9:30 2
10:00 4

Can I somehow use transaction in this case?

0 Karma

jkat54
SplunkTrust
SplunkTrust

can you give me your search that "almost works"?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...