Return only those events who exist in consecutive ...

jpawloski · ‎10-04-2019

So I'm working on a search that returns standard network stuff and using a bin to bucket the data by a day. Something like this:

base search earliest=-7d | bin _time span=1d as window | stats count(dest) as destination values(this) as this values(that) as that by ip window | where destination > 2

So this works but what I'm really interested in seeing are those ip values that exist in more than one window bin. I can't think of a way to break it down from what has effectively been the end of the search up to this point. Any ideas?

gcusello · ‎10-05-2019

Hi
If you don't have fields, you could use something like this:

 base search earliest=-7d
| timechart span=1d count
| delta count AS delta
| where delta=0 AND count=1

In this way, you have all the day where there's

If instead you have to check the difference also using fields (as ip or windows) you have to use the transaction command that's not so performant.

base search earliest=-7d
| transaction maxspan=2m ip window
| where eventcount>1

This search runs only if you have at max one event in each hour

There's also another solution that seems to run on my test data but you should test:

base search earliest=-7d
| eval col=ip." ".window
| timechart span=1m dc(col) AS count
| delta count AS delta
| where delta=0 AND count>0

Bye.
Giuseppe

ololdach · ‎10-05-2019

Hi jpawloski,
right after the bin command, you have a bunch of IP values each with a window value attached to it. You want to find those IP that are in two or more consecutive windows. My first approach to this would be to use transaction ip maxpause=1d . That would group all those events, that are consecutive and discard the rest.
Hope it helps
Oliver

Return only those events who exist in consecutive time bins

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life