Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use two different search time ranges in one splunk rule?

veromihaiu
Path Finder
‎10-03-2019 12:43 AM

I have the following scenario: I have to find events with certain specifications in the last 15 minutes, and the search result have to be compared (in the same rule) with the result of another search, which looks for exact same event but in the last 7 days. I have to see if the event found in the last 15 minutes, has happen in the past,how many times and if never happened, trigger an alert. How can I add to different search time in the same rule?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-03-2019 03:53 AM

Hi veromihaiu,
could you share your searches?
Anyway, you have to identify some field or part of the _raw to compare searches results.
E.g. if I have field1 and field2 as keys to compare, I can run something like this:

index=my_index earliest=-7d latest=now [ search index=my_index earliest=-15m latest=now | fields field1 field2 ]
| ...

With additional information, maybe it's possible to create a more performant search.
E.G. you could schedule a search every hour to extract the key fields and archive results on a summary, e.g.:

index=my_index earliest=-h latest=now 
| fields _time field1 field2 
| collect index=my_summary

then you can search on the summary that it's a more performat way:

index=my_summary earliest=-7d latest=now [ search index=my_summary earliest=-15m latest=now | fields field1 field2 ]
| ...

Remember that there's a limit of 50,000 results for subsearches, so check if in last 15 minutes you have more or less than 50,000 results.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-03-2019 03:53 AM

Hi veromihaiu,
could you share your searches?
Anyway, you have to identify some field or part of the _raw to compare searches results.
E.g. if I have field1 and field2 as keys to compare, I can run something like this:

index=my_index earliest=-7d latest=now [ search index=my_index earliest=-15m latest=now | fields field1 field2 ]
| ...

With additional information, maybe it's possible to create a more performant search.
E.G. you could schedule a search every hour to extract the key fields and archive results on a summary, e.g.:

index=my_index earliest=-h latest=now 
| fields _time field1 field2 
| collect index=my_summary

then you can search on the summary that it's a more performat way:

index=my_summary earliest=-7d latest=now [ search index=my_summary earliest=-15m latest=now | fields field1 field2 ]
| ...

Remember that there's a limit of 50,000 results for subsearches, so check if in last 15 minutes you have more or less than 50,000 results.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

veromihaiu
Path Finder
‎10-07-2019 06:39 AM

Thanks for the response! It worked!

0 Karma
Reply
Solved! Jump to solution

Sfry1981
Communicator
‎10-03-2019 12:54 AM

Hey @veromihaiu

You should be able to do this using appencol and timechart with stats quite easily as this will show the current events and then its split by the other events so you will be able to see it via a line graph or as event stats. Do you have a snippet of the data from both subsets and i can provide the answer for you?

0 Karma
Reply
Solved! Jump to solution

veromihaiu
Path Finder
‎10-07-2019 06:39 AM

You are right. It worked with appendcols and subsearch 🙂

0 Karma
Reply
Solved! Jump to solution

veromihaiu
Path Finder
‎10-07-2019 06:41 AM

Thank you! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...