Splunk Search

How to fetch events based on below condition

surajgupta
New Member

Hi,

We have a requirement where client wants to see only events which satisfied the below condition.

Any events which opened for more than 30 mins OR >4 events in last one hour(doesn't matter whether its open or closed).

  • Suraj
0 Karma

surajgupta
New Member

Hi,

we are trying the below query.

index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing " NOT (zmondyn*) earliest=-20d | dedup dtIncidentName dtIncidentMessage dtIncidentServerName | table _time dtIncidentName dtIncidentMessage dtIncidentServerName dtIncidentIsClosed | search dtIncidentIsClosed!="True" | eval diff_mins=(now()-_time)/60 | table _time diff_mins | where diff_mins>30 | stats count as diff30mins | append [ search index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing" earliest=-1h| stats count as countforanhour ] | stats values(*) as * | eval alertme=if(countforanhour>10 OR diff30mins>1,1,0) | search alertme=1

I can see the alerts(alertme =1) if 4 events triggered within one hour but seems the second condition(alertme if diff_mins>30) is not working properly.
Can you please confirm if both condition try to evaluate events from the raw data or one over the other condition?

-Suraj

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Its' much easier for us to help you if you provide more information such as what's your current search/base search, which fields are primary key/grouping fields etc?

0 Karma

surajgupta
New Member

Hi,

We are trying the below query.

index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing " NOT (zmondyn*) earliest=-20d | dedup dtIncidentName dtIncidentMessage dtIncidentServerName | table _time dtIncidentName dtIncidentMessage dtIncidentServerName dtIncidentIsClosed | search dtIncidentIsClosed!="True" | eval diff_mins=(now()-_time)/60 | table _time diff_mins | where diff_mins>30 | stats count as diff30mins | append [ search index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing" earliest=-1h| stats count as countforanhour ] | stats values(*) as * | eval alertme=if(countforanhour>10 OR diff30mins>1,1,0) | search alertme=1

This query works fine for the first condition(if we get 4 alert within 1 hour then alertme=1) but seems not working properly for second condition( alertme if the events open for more than 30 mins).

0 Karma

pappjr
Path Finder

Hi @surajgupta,

I'm assuming you're talking about a ticketing system where Splunk logs "open" events and "closed" events. If that's the case you'll want to use the transaction command to find the "tickets open longer than 30 minutes" and probably write a separate search for more than 4 events per ticket and use the append command to join them together.

Your search will probably look something like this, but I would need to know more about your logs to give you an exact search:

index=your_index sourcetype=your_sourcetype
| transaction ticket_number startswith=eval(status="open") endswith=eval(status="closed")
| where duration > 1800
| append [
search index=your_index sourcetype=your_sourcetype
| bucket span=1h _time
| stats values(_raw) count by ticket_number, _time
| where count > 4 ]

Hope this helps!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...