- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: span 5min for the last 15min
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
span 5min for the last 15min
Hello,
I have this following search:
source="Laura_ACS"| eventstats count as "totalVE"| eventstats count(eval(STAT_VE="N")) as "totalVENO"|eval percent=(totalVENO/totalVE)*100 | stats values(totalVENO) AS COMPTEUR, values(percent) AS TAUX|search TAUX=100
I want to calculate the "TAUX" for the last 15 min but I want to have a result with a span of 5 min and launch an alert if there are more than 2 results. That means that the TAUX equals 100 twice during the last 15 minutes. How can I apply this span of 5min in my search?
Thanks by advance,
Laura
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps this would help you, for the span/bucket...
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/bucket
And then put "earliest=-15m latest=0" in you orginal search command (i.e. source="Laura_ACS")
And then perhaps use streamstats, instead of stats, to prevent it from formatting results in to a table and keep all raw fields/data,
You can then use transaction to group events as required, and alert when you have 2 complete transactions
Regards,
MHibbin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
transaction is an answer but I don't know how can I apply this on my search because I have several subsearches. I want to calculate the taux for all the range time.
Thx by advance,
Laura
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm sorry I don't understand this question ... 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I test this but I have a problem because I have to apply the span on all my search :
-eventstats count as "totalVE"
-eventstats count(eval(STAT_VE="N")) as "totalVENO"
-stats values(totalVENO) AS COMPTEUR, values(percent) AS TAUX
But I don't know how can do it.
Thanks by advance,
Laura
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx very much. I test this tomorrow and I return my search as soon as I have good results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't tested this, as I don't have any data available at the moment that I can test this on... its more of some suggestions on points to look at, that have helped me in similar situations.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
