Splunk Search

How to build a search that will show events that have passed a specific threshhold, create a table, and then provide filtering via a drop-down?

jcspigler2010
Path Finder

Hello Splunkers,

I am trying to compose a search to do the following and create a table based off of the results:

  1. Show only events where count of field host AND eventtype AND message_text AND interface within time period is larger than "X"
  2. Create a table with fields _time,host,eventtype,message_text,interface
  3. After creating the table, I want to be able to filter via dynamically built drop-down in a dashboard.

Essentially the customer wants to eliminate noise. They are only concerned with events that have happened a certain number of times within a specific time period. If a certain thresh hold is met, show me the event in a table. They deal with port flapping constantly but don't want to be alerted every time a port flaps. If a port flaps 2000 times, yes alert me. Build a table based off of this criteria, then provide filtering via drop down.

Hopefully that makes sense. I don't even know where to start with this one.

Thanks!

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Supposing the time period they want to check against the count of X is hourly

| bin _time span=1h
| stats count by _time, host, eventtype,  interface, message_text
| where count > X

That creates your summary records for each hour that exceeded the threshold of X.

With that as your base search, you'll load your dropdowns with distinct available values of host, eventtype and interface. Not sure if message_text is reasonable to go into a dropdown, your call.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Supposing the time period they want to check against the count of X is hourly

| bin _time span=1h
| stats count by _time, host, eventtype,  interface, message_text
| where count > X

That creates your summary records for each hour that exceeded the threshold of X.

With that as your base search, you'll load your dropdowns with distinct available values of host, eventtype and interface. Not sure if message_text is reasonable to go into a dropdown, your call.

jcspigler2010
Path Finder

DaJeanis This is EXACTLY what i was looking for.

Thank you so much

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You are quite welcome.

0 Karma

adonio
Ultra Champion

Hi jcspigler,
1. ... | stats count by host eventtype message_text interface | where count > X
2. ... | table _time,host,eventtype,message_text,interface
3. use form inputs for a dashboard by creating a token. I like to use the examples at the dashboard app. download here: https://splunkbase.splunk.com/app/1603/
hope it helps

jcspigler2010
Path Finder

Thanks Adonio. I'll try it this weekend. Had to run out of the office this afternoon.

Cheers

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...