topic Re: How would I create a search for event that happens but exclude the first 45 minutes? in Splunk Search

How would I create a search for event that happens but exclude the first 45 minutes?

mrkala — Mon, 25 Nov 2019 11:22:03 GMT

I am new to Splunk and trying to create an alert for a message however I keep getting false positives on the message been sent seconds apart.

I would like the search to find event with the message been sent over 45 minutes.

Anyone have any ideas or is the search too complex?

index=wh_trading_feeds KICKOFF_*_FIRST_HALF NOT KICKOFF_*_FIRST_HALF_ET "attrs.MARATHON_APP_ID"="/whc/tbc01/feeds-incident-notifier" | stats count by whId | where count = 2 | eval eventTitle = "INFO Event KO modified: http://gtp-ui.trading-services.prod.williamhill.plc/#!/football/event/"+whId earliest=@now() latest=+45m | table eventTitle

Re: How would I create a search for event that happens but exclude the first 45 minutes?

gcusello — Mon, 25 Nov 2019 13:22:25 GMT

Hi @mrkala,
sorry but in your search there are some errors: after the stats command, you can use only the fields that you used in stats, in other words, in your search, only whld, so you haven't more eventTitle and _time, so you have to rebuild your search modifying the stats command.

In addition I don't understand the time condition you want to eliminate false positives.

Anyway to solve the first problem, see below:

index=wh_trading_feeds KICKOFF_FIRST_HALF NOT KICKOFF_FIRST_HALF_ET "attrs.MARATHON_APP_ID"="/whc/tbc01/feeds-incident-notifier" 
| stats values(eventTitle) AS eventTitle earliest(_time) AS _time count by whId 
| where count = 2 
| eval eventTitle = "INFO Event KO modified: http://gtp-ui.trading-services.prod.williamhill.plc/#!/football/event/".whId 
| table eventTitle

For the second, could you give more infos about the time frame?

Ciao.
Giuseppe

Re: How would I create a search for event that happens but exclude the first 45 minutes?

mrkala — Wed, 30 Sep 2020 03:04:27 GMT

@gcusello Thanks Giuseppe.

So the time frame will be at the first point the whid comes in to prevent whid coming twice seconds or minutes apart.

Basically after the first event comes in KICKOFF_FIRST_HALF I dont want this message to come up on the search for at least 45 minutes

Re: How would I create a search for event that happens but exclude the first 45 minutes?

gcusello — Wed, 30 Sep 2020 03:08:07 GMT

Let me understand:
for each whId, after that Splunk found a message "KICKOFF_FIRST_HALF" you don't want to see again rows up to 45 minutes, is it correct?

if this is your requirement, you could try something like this, running every 5 minutes:

 index=wh_trading_feeds KICKOFF_FIRST_HALF NOT KICKOFF_FIRST_HALF_ET earliest=-5m@m latest=now "attrs.MARATHON_APP_ID"="/whc/tbc01/feeds-incident-notifier" NOT [ search  index=wh_trading_feeds KICKOFF_FIRST_HALF NOT KICKOFF_FIRST_HALF_ET "attrs.MARATHON_APP_ID"="/whc/tbc01/feeds-incident-notifier" earliest=-50m@m latest=-5m@m | dedup whId | fields whId ]
 | stats values(eventTitle) AS eventTitle earliest(_time) AS _time count by whId 
 | where count = 2 
 | eval eventTitle = "INFO Event KO modified: http://gtp-ui.trading-services.prod.williamhill.plc/#!/football/event/".whId 
 | table eventTitle

Ciao.
Giuseppe