Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

help with query

sarit_s
Communicator
‎03-29-2020 06:12 AM

Hello
i have 2 kinds of events - X and Y
and i want to see how many times X+Y happens at the same time and how many times each one of them happens alone
how can i do it ?

thanks

**edit:
this is the flow :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.

Do you think it will be possible to run something like this a single splunk query, and moreso will it be efficient to have nested queries and loops in the same command?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-29-2020 08:50 AM

Like this:

 ... | stats count BY XorYfield
| addtotals
0 Karma
Reply

sarit_s
Communicator
‎03-30-2020 04:55 AM

this is the flow i want :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.
0 Karma
Reply

jpolvino
Builder
‎03-29-2020 06:42 AM

When you say "at the same time" do you mean they have the same timestamps, or are you looking for processing time overlaps?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-29-2020 06:27 AM

Hi @sarit_s,
if your events are in indexes X and Y, you could run something like this:

index=X OR index=Y
| stats count BY index
| addcoltotals labelfield=index label="Total"

if your events are in the same index, find a field to divide them (e.g. sourcetype or something else) and use it in stats count command.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...