Splunk Search

How to include timestamp of most recent event in a comparison between current day and a prior period

djhowie
New Member

I have a search that compares the number of events for the current day, for a given combination of fields, to the daily average over the prior two weeks. The search is pretty involved and is included below for reference. The search works as intended. There may be ways to simplify the search and I'm open to such feedback, but simplifying the search is not my question. My question is...

How can I add the timestamp of the most recent occurrence for the combination of fields?

I've included two screenshots. The first screenshot shows the current results and the second screenshot illustrates the desired results.

Any advice is appreciated. Thanks

sourcetype=xxxxxxxx earliest=@w6-14d latest=@w6
| eval Prior_or_Current="Prior"
| append [search sourcetype=xxxxxxxx earliest=@d
| eval Prior_or_Current="Current"]
| eval dayOfWeek=strftime(_time, "%A")
| eval hourOfDay=strftime(_time, "%H")
| search NOT ((dayOfWeek="Friday" AND hourOfDay>=20) OR (dayOfWeek="saturday" AND hourOfDay<5) OR (dayOfWeek="sunday" AND (hourOfDay>=0 AND hourOfDay<5)))
| eval Event_Date=strftime(_time, "%F")
| rex "msg\=\'(?<msg_first22char>(.{22}))"
| eval Combined_Key=err_transaction_id.",".err_program.",".msg_first22char
| stats count by Event_Date Combined_Key Prior_or_Current
| chart avg(count) over Combined_Key by Prior_or_Current
| eval Prior=if(Prior>"",Prior,0)
| eval Current=if(Current>"",Current,0)
| eval Percent_Change=(Current-Prior)/Prior*100
| eval Percent_Change=if(Percent_Change>"",Percent_Change,if(Prior>0,-100,100))
| eval Percent_Change=round(Percent_Change,0), Prior=round(Prior,0), Current=round(Current,0)
| rename Prior as Prior_Period_Daily_Avg Current as Current_Day_Count
| eval Sort_To_The_Top=if((Prior_Period_Daily_Avg=0 OR (Percent_Change>=50 AND Prior_Period_Daily_Avg>=200) OR (Percent_Change>=100 AND Prior_Period_Daily_Avg>=50) OR (Percent_Change>=500 AND Prior_Period_Daily_Avg>=10) OR Percent_Change>=1000), 0, if(Percent_Change>-1,1,2))
| search Sort_To_The_Top=0
| rex field=Combined_Key "(?<err_transaction_id>[\w|\W]+),(?<err_program>[\w|\W]+),(?<msg_first22chars>[\w|\W]+)"
| rex mode=sed field="err_transaction_id" "s/\'//g" 
| rex mode=sed field="err_program" "s/\'//g"
| sort Sort_To_The_Top -Current_Day_Count -Percent_Change -Prior_Period_Daily_Avg err_transaction_id err_program msg_first22chars
| table err_transaction_id err_program msg_first22chars Prior_Period_Daily_Avg Current_Day_Count Percent_Change

Current Results
alt text

Desired Results
alt text

Tags (1)
0 Karma

djhowie
New Member

I understand how to get the latest time. The problem is I cannot figure out how to incorporate it into the overall search to achieve the desired results without breaking the existing functionality.

0 Karma

djhowie
New Member

Thanks for the reply. I understand that the stats command can be used to compute the latest timestamp. The problem is figuring out how to work it into the overall search. I tried inserting the stats, along with tabling all fields referenced in the subsequent portions of the search, but it doesn't work. I get zero results. See lines 9 and 10. Thanks

sourcetype=xxxxxxxx earliest=@w6-14d latest=@w6
| eval Prior_or_Current="Prior"
| append [search sourcetype=xxxxxxxx earliest=@d
| eval Prior_or_Current="Current"]
| eval dayOfWeek=strftime(_time, "%A")
| eval hourOfDay=strftime(_time, "%H")
| search NOT ((dayOfWeek="Friday" AND hourOfDay>=20) OR (dayOfWeek="saturday" AND hourOfDay<5) OR (dayOfWeek="sunday" AND (hourOfDay>=0 AND hourOfDay<5)))
| eval Event_Date=strftime(_time, "%F")
| stats latest(_time) AS Latest_Occurrence
| table err_transaction_id err_program msg Prior_or_Current Event_Date Latest_Occurrence
| rex "msg\=\'(?<msg_first22char>(.{22}))"
| eval Combined_Key=err_transaction_id.",".err_program.",".msg_first22char
| stats count by Event_Date Combined_Key Prior_or_Current
| chart avg(count) over Combined_Key by Prior_or_Current
| eval Prior=if(Prior>"",Prior,0)
| eval Current=if(Current>"",Current,0)
| eval Percent_Change=(Current-Prior)/Prior*100
| eval Percent_Change=if(Percent_Change>"",Percent_Change,if(Prior>0,-100,100))
| eval Percent_Change=round(Percent_Change,0), Prior=round(Prior,0), Current=round(Current,0)
| rename Prior as Prior_Period_Daily_Avg Current as Current_Day_Count
| eval Sort_To_The_Top=if((Prior_Period_Daily_Avg=0 OR (Percent_Change>=50 AND Prior_Period_Daily_Avg>=200) OR (Percent_Change>=100 AND Prior_Period_Daily_Avg>=50) OR (Percent_Change>=500 AND Prior_Period_Daily_Avg>=10) OR Percent_Change>=1000), 0, if(Percent_Change>-1,1,2))
| search Sort_To_The_Top=0
| rex field=Combined_Key "(?<err_transaction_id>[\w|\W]+),(?<err_program>[\w|\W]+),(?<msg_first22chars>[\w|\W]+)"
| rex mode=sed field="err_transaction_id" "s/\'//g" 
| rex mode=sed field="err_program" "s/\'//g"
| sort Sort_To_The_Top -Current_Day_Count -Percent_Change -Prior_Period_Daily_Avg err_transaction_id err_program msg_first22chars
| table err_transaction_id err_program msg_first22chars Prior_Period_Daily_Avg Current_Day_Count Latest_Occurrence Percent_Change
0 Karma

DEAD_BEEF
Builder

What about deleting line 9 and then just including _time in your table?

0 Karma

djhowie
New Member

I have not tried that, but I don't expect that will work. The search in question does not output every event. The search computes the daily count of events, based upon a combination of selected fields, to the daily average over the prior two weeks. The intent is to include the latest timestamp for the combination of fields.

0 Karma

DEAD_BEEF
Builder

When you say the latest timestamp for the combination of fields, there must be some timestamp within the log that holds those fields. Could you eval the _time of each of those fields, compare them, and then return the latest one? It doesn't sound pretty but it may be an option.

0 Karma

DEAD_BEEF
Builder

Try this

| stats latest(_time) AS Latest_Occurrence
| table Latest_Occurrence

yshen
Communicator

How can I make Latest_Occurrence value readable. Currently, it's of the following value, for example, 

1597896470

I'd like it to be for example, 

2020-08-19 22:40:37

Thanks!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...