Splunk Search

Correlating events and specifying a timerange for how close the events need to be

the_wolverine
Champion

I'd like to be able to historically search my events and be able to correlate events from 2 different sources. One source is a dhcp log which stores ips and hostnames that are time-specific.

Is there a command that I can use to specify how close the events must be to match? I guess I'm looking for something similar to maxspan in transaction. But I don't want to use transaction due to the expense.

0 Karma

the_wolverine
Champion

Its not apparent to me what the value of "log2" should be in your example.

0 Karma

tgow
Splunk Employee
Splunk Employee

Here is a link to an Answer from Stephen Sorkin.

http://splunk-base.splunk.com/answers/103/transaction-vs-stats-commands

I believe you can use the "stats range" instead of transaction but it depends on the data. Here is an example:

... | transaction trade_id | chart count by duration span=log2

is the same as:

... | stats range(_time) as duration by trade_id | chart count by duration span=log2
0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...