Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group together events based on their relative distance in _time?

thisissplunk
Builder
‎06-06-2014 11:21 AM

Hello All,

I'm trying to figure out how to group certain events together if they happen within 1 second of each other's relative _time (they happened <= one second from each other).

Current search as an example example:

sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03"  | stats  values(login_server) count(login_server) AS UniqueEventCount dc(login_server) AS UniqueServerCount by HostName, User | sort -UniqueServerCount | where UniqueServerCount > 1

What the above answers is: "Show me the events where a host and user name logs into two or more different login servers". What I need to add is that I only want to show events that log into two or more login servers within 1 second of each other.

Bucket does not do this as two events can fall within 1 second of each other, but not fall into the same one second buckets markers.

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfreitas
Builder
‎06-07-2014 05:23 AM

Hi thisissplunk,

Maybe you can use the "transaction" command. Using a "| transaction login_server maxspan=1s". This way you will group all the events with the login_server that are equal withing 1 second max difference between events.

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

gfreitas
Builder
‎06-07-2014 05:23 AM

Hi thisissplunk,

Maybe you can use the "transaction" command. Using a "| transaction login_server maxspan=1s". This way you will group all the events with the login_server that are equal withing 1 second max difference between events.

Hope this helps!

Reply
Solved! Jump to solution

thisissplunk
Builder
‎06-13-2014 12:57 PM

The transaction command did it. Though I will say it adds a LOT of overhead and makes some of our searches impossible over more than a few minutes. It does however do the same as the above initial search AND ensures they all happened within 1 second of each other.

I can now say "Someone logged into 3 different servers within one second, and here is your single alert showing you so".

sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03" | transaction fields="HostName" maxspan=1s | eval UniqueServers=mvcount(login_server) | where UniqueServers > 1

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...