topic Whats the best way to classify events as being "Normal" or "Exception" type of events based on time ranges when i have various different exception windows timings? in Splunk Search

Whats the best way to classify events as being "Normal" or "Exception" type of events based on time ranges when i have various different exception windows timings?

magenta — Wed, 30 Mar 2016 21:42:52 GMT

I have historical events that i'm looking to classify as having occurred during an exception period or not.
The challenge is that there are 12+ categories of events and each type of event has 4 slightly different "Exception Periods" each year. For some of the categories, the exceptional time period can be defined based on # of work days before and after the end of the quarter.

Is there a good way of doing this outside of writing many many IF statements?

Re: Whats the best way to classify events as being "Normal" or "Exception" type of events based on time ranges when i have various different exception windows timings?

martin_mueller — Wed, 30 Mar 2016 22:36:51 GMT

You could write a time-based lookup with three columns: _time, category, period

For each category, you'd put in a row for each transition between normal and exception, along with the timestamp for the transition and the class that started then. The time-based lookup logic should retrieve the youngest row for each event's category that's still before the event's timestamp.

Re: Whats the best way to classify events as being "Normal" or "Exception" type of events based on time ranges when i have various different exception windows timings?

magenta — Mon, 04 Apr 2016 16:48:22 GMT

Thanks i didn't realize lookups could be time based so i think this should work!