- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- I am searching for a query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am new to Splunk (Enterprise Security) and I am stuck on making a certain correlation search.
An example of the events I get:
1) 1/1/2018 12:00:00 | voltage=200
2) 1/1/2018 12:00:01 | voltage=400
3) 1/1/2018 12:00:02 | voltage=200
4) 1/1/2018 12:00:03 | voltage=200
Is it possible to get the events in a range of 1 second of each other where the difference in voltage is more than 100?
So what I mean is that I need for every combination of 1 second a control that the difference is more than 100.
So the result needs to be:
- event 1: difference between 1 and 2 in voltage is more than 100
- event 2: difference between 2 and 3 in voltage is more than 100
Can someone help me with this? I have no clue how to solve this one...
Many thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This assumes that your readings are ALWAYS every 1 second and you just mean successive readings with voltage difference more than 100.
your current search giving above results
| streamstats current=t window=2 range(voltage) as voltage_difference
| reverse
| streamstats current=f window=1 last(voltage_difference) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
This assumes that your readings may happen at other intervals and you are only interested in those that are within 1 second of each other with voltage difference more than 100.
your current search giving above results
| streamstats current=t time_window=1s range(voltage) as voltage_difference
| reverse
| streamstats current=t time_window=1s range(voltage) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answers!
Now I have another question following on the previous one:
How can I make it that way, an event is triggered when this event happens X times over 10 seconds for example?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This assumes that your readings are ALWAYS every 1 second and you just mean successive readings with voltage difference more than 100.
your current search giving above results
| streamstats current=t window=2 range(voltage) as voltage_difference
| reverse
| streamstats current=f window=1 last(voltage_difference) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
This assumes that your readings may happen at other intervals and you are only interested in those that are within 1 second of each other with voltage difference more than 100.
your current search giving above results
| streamstats current=t time_window=1s range(voltage) as voltage_difference
| reverse
| streamstats current=t time_window=1s range(voltage) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are a couple of different ways, all starting with this to generate fake event data:
|makeresults
| eval raw="1/1/2018 12:00:00 | voltage=200:::1/1/2018 12:00:01 | voltage=400:::1/1/2018 12:00:02 | voltage=200:::1/1/2018 12:00:03 | voltage=200"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| eval _time=strptime(_raw, "%m/%d/%Y %H:%M:%S")
| rex "voltage=(?<voltage>\d+)"
| streamstats count AS SERIAL
Here is one way:
| reverse
| streamstats time_window=2 range(voltage) AS voltage_span
| search voltage_span>100
| reverse
Here is another way that presumes you have exactly 1 measure/second:
| reverse
| autoregress voltage AS prev_voltage
| where abs(voltage - prev_voltage) > 100
| reverse
And yet another way that presumes you have exactly 1 measure/second:
| reverse
| streamstats current=f window=1 last(voltage) as prev_voltage
| where abs(voltage - prev_voltage) > 100
| reverse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
your current search giving above results
| streamstats current=f window=1 values(voltage) as prev_voltage
| where abs(prev_voltage-voltage)>100
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
