- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me with a query using the streamstats...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is how events are,
2018-12-20T13:38:07.938-0500: 28658.929: [**Dull BC** (Allocation Failure)
2018-12-20T13:38:12.764-0500: 28663.756: [SoftReference, 410050 refs, 0.1673385 secs
2018-12-20T13:38:12.932-0500: 28663.923: [WeakReference, 117939 refs, 0.0132928 secs]
2018-12-20T13:38:12.945-0500: 28663.936: [FinalReference, 476 refs, 0.0002134 secs]
2018-12-20T13:38:12.945-0500: 28663.937: [PhantomReference, 658 refs, 789 refs, 0.0002301 secs]
2018-12-20T13:38:12.945-0500: 28663.937: [JNI Weak Reference, 0.0005271 secs]
17G->7032M(18G), **16.4882875** secs]
I am hoping streamstats would be able to help me with the following requirement,
If splunk search encounters the keyword 'Dull BC', then the control should jump to the next 5th event/sentence/line and fetch the value '16.2882857' for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @zacksoft,
You could use the streamstats command like this:
your base search
| streamstats count reset_after="("like(_raw,\"%Dull BC%\")")"
| search count=5
However, you will notice a minor glitch with this command: If the the first couple of lines do not contain "Dull BC" then the fifth line will have a count of 5 regardless.
Perhaps you could also use the transaction command:
your base search | sort -_time
| transaction startswith="**Dull BC**" endswith="JNI Weak Reference" maxevents=6
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @zacksoft,
You could use the streamstats command like this:
your base search
| streamstats count reset_after="("like(_raw,\"%Dull BC%\")")"
| search count=5
However, you will notice a minor glitch with this command: If the the first couple of lines do not contain "Dull BC" then the fifth line will have a count of 5 regardless.
Perhaps you could also use the transaction command:
your base search | sort -_time
| transaction startswith="**Dull BC**" endswith="JNI Weak Reference" maxevents=6
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
The transaction command does the job, but I see anomaly.
sometimes maxevents = 6 shows the lines but mazevents = 9 doesn't.
It's strange..
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
