Solved: How to search events that occur at least one per d...

C4r7m4n · ‎04-05-2012

Hello,

Does anybody know how to write a search that find events occur at least one per day and these events count as one and these counts must occur 5 or more times per week.

See http://imageshack.us/photo/my-images/854/5per7.jpg/

Best Regards,
C4r7m4n

C4r7m4n · ‎04-09-2012

Hi @jt_splunk

Thank you for your respond.

I don't know how exactly field or all you have wrote, relate to my search: source="/var/log/alerts_splunk.log" hostname="*" (name="df.*" AND value>99) OR (name="*.var" AND value>95) | stats count by hostname name value | dedup hostname name | sort value desc

I don't quite understand statements: dedup date_wday <fieldofinterest> 😞
Remove duplicate occur at day of the week?

View solution in original post

C4r7m4n · ‎04-12-2012

Hello @jt_splunk

The statement: | where count > 4 | sort value desc
does not work for me:(

Does where word is not deprecated?

And why do You dedup by date_wday hostanem and name
instead only by date_wday

"If I understand correctly, for each day of the week, you only care if an event is present or not" -- correct

"Then, you want to know if that event occurs over the course of 5 days, right?" -- Then I want to know if that event occurs 5 times or more in the week (e.g. Monday, Tuesday, Wednesday, Friday and Sunday: 5 times in the week)
(e.g.2 Monday, Tuesday, Wednesday, Thursday, Friday and Sunday: 6 times in the week

Best Regards,
C4r7m4n

C4r7m4n · ‎04-12-2012

Hello @jt_splunk

It's working, thx

C4r7m4n · ‎04-12-2012

Hi @jt_splunk

Sorry I made a mistake I wrote count as not count by 😞

I will test it and give you respond... 😉

jt_splunk · ‎04-12-2012

I just verified in 4.3.1 that where is still a current and active search keyword. So "| where count > 4" should work for you. What results are you getting when you use just the where portion?

C4r7m4n · ‎04-09-2012

Hi @jt_splunk

Thank you for your respond.

I don't know how exactly field or all you have wrote, relate to my search: source="/var/log/alerts_splunk.log" hostname="*" (name="df.*" AND value>99) OR (name="*.var" AND value>95) | stats count by hostname name value | dedup hostname name | sort value desc

I don't quite understand statements: dedup date_wday <fieldofinterest> 😞
Remove duplicate occur at day of the week?

jt_splunk · ‎04-10-2012

If I understand correctly, for each day of the week, you only care if an event is present or not. Then, you want to know if that event occurs over the course of 5 days, right? Try this:

source="/var/log/alerts_splunk.log" hostname="" (name="df." AND value>99) OR (name="*.var" AND value>95) | dedup date_wday hostname name | stats count by hostname name value | where count > 4 | sort value desc

jt_splunk · ‎04-06-2012

Depending on your dataset, it shouldn't be that hard. Try something like this (modify the dates accordingly):

earliest=3/18/2012:0:0:0 latest=3/23/2012:0:0:0 | dedup date_wday | stats c by | where c > 4

If you want a relative timeframe, make earliest=-7d.

C4r7m4n · ‎04-06-2012

Hello @Joetron

What do you mean sample of events? (log?)

Below I attached picture: look at

RicoSuave · ‎04-05-2012

You will probably have to use a combination of transaction and eval commands. Can you post a sample of your events? That would really help.

How to search events that occur at least one per day, count as one and number of such counts are 5 or more per one week?

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2