Splunk Search

How to identify seasonal event log messages? (every weekend, every month, every day at a certain time, etc.)

RocIngersol
Explorer

I’ve got a stream of event logs (log4j variation - timestamp host class msg summary etc) coming in – I want to identify what event log messages have an element of seasonal regularity (i.e. every weekend, every month, every day at a certain time etc). I know there are some already through manual exploration, but would love to be able to search / report on what events have a form of seasonality.

Looking at x11 or predict, they seem to be for time series data, and not event log msgs as such..

0 Karma

DarthDMader
Explorer

Hi,
I would concentrate my search for the date_* fields also stats and eval functions.
Without example data I can't figure out all possibilities.
Kind Regards
Darth

0 Karma

RocIngersol
Explorer

Ok Darth - good call...so I've down this (with sample data)

alt text

So now I can find the events (catergoryId) that have some form of seasonally or regular frequency..

0 Karma

RocIngersol
Explorer

Not an answer - but more of my own thought on how to achieve this using cluster.

Can I list all the events group in a cluster and the work out the time between each event in the cluster? Doing that would give me a way of seeing a pattern if there is an element of seasonally of each event.. i.e. every hour or every x days etc...

0 Karma

RocIngersol
Explorer

OK.. so I can table out all the events on a per cluster basis with

search 'n' cluster | table _time, cluster_count, cluster label

BUT how could I work out the time between each event in each cluster? Some sort of foreach?

thx!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...