Perform Transaction for only repeating values of f...

omend · ‎07-16-2013

Hi,

I'm looking to write a splunk search that joins consecutive similar events.
The data is of IP Addresses allocation to machine names, so the lines are of the following format:

[Start Time],[End Time],[Hostname],[IP Address]
10:00,10:15,MINE-PC,10.0.0.2
10:15,12:00,MINE-PC,10.0.0.2
12:00,12:45,MINE-PC,10.0.0.5
12:45,13:08,MINE-PC,10.0.0.5
13:08,13:37,MINE-PC,10.0.0.2

I would like to join all consecutive identical IP Addresses so the results should look like:
[Start Time],[End Time],[Hostname],[IP Address]
10:00,12:00,MINE-PC,10.0.0.2
12:00,13:08,MINE-PC,10.0.0.5
13:08,13:37,MINE-PC,10.0.0.2

Could anyone please provide a short search code?

Thanks,
Ori.

dmlee · ‎07-16-2013

may I know if the live time of an allocated IP is always 15 minutes or can be any range ?
if the live time is always 15 minutes , you can try this :

sourcetype="omend" | rex "(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P[^,]+)" | transaction maxpause=15m IP HostName

omend · ‎07-16-2013

Unfortunately the 15 minutes bucket is only for the example purposes, it can be any time range.

Perform Transaction for only repeating values of field

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms