I need to perform a search that spans a days worth of logs looking for 5 identical events in a one hour window. Breaking the day up into hours will not work since the 5 events could cross the hour boundary (ie. 11:50 - 12:10). I imagine that I need to evaluate the difference in timestamps of each event to determine if they are within a one hour window but I can't see how to do it.
In a script I would put all events sorted by time into an array and look for any grouping of 5 events where the difference in time between event[x] and event[x+4] is <= 3600(working with epoch time). How would you do this, or something like this, in Splunk?
... View more