topic Re: How to use two different search time ranges in one splunk rule? in Splunk Search

How to use two different search time ranges in one splunk rule?

veromihaiu — Thu, 03 Oct 2019 07:43:51 GMT

I have the following scenario: I have to find events with certain specifications in the last 15 minutes, and the search result have to be compared (in the same rule) with the result of another search, which looks for exact same event but in the last 7 days. I have to see if the event found in the last 15 minutes, has happen in the past,how many times and if never happened, trigger an alert. How can I add to different search time in the same rule?

Re: How to use two different search time ranges in one splunk rule?

Sfry1981 — Thu, 03 Oct 2019 07:54:15 GMT

Hey @veromihaiu

You should be able to do this using appencol and timechart with stats quite easily as this will show the current events and then its split by the other events so you will be able to see it via a line graph or as event stats. Do you have a snippet of the data from both subsets and i can provide the answer for you?

Re: How to use two different search time ranges in one splunk rule?

gcusello — Thu, 03 Oct 2019 10:53:19 GMT

Hi veromihaiu,
could you share your searches?
Anyway, you have to identify some field or part of the _raw to compare searches results.
E.g. if I have field1 and field2 as keys to compare, I can run something like this:

index=my_index earliest=-7d latest=now [ search index=my_index earliest=-15m latest=now | fields field1 field2 ]
| ...

With additional information, maybe it's possible to create a more performant search.
E.G. you could schedule a search every hour to extract the key fields and archive results on a summary, e.g.:

index=my_index earliest=-h latest=now 
| fields _time field1 field2 
| collect index=my_summary

then you can search on the summary that it's a more performat way:

index=my_summary earliest=-7d latest=now [ search index=my_summary earliest=-15m latest=now | fields field1 field2 ]
| ...

Remember that there's a limit of 50,000 results for subsearches, so check if in last 15 minutes you have more or less than 50,000 results.

Bye.
Giuseppe

Re: How to use two different search time ranges in one splunk rule?

veromihaiu — Mon, 07 Oct 2019 13:39:11 GMT

You are right. It worked with appendcols and subsearch 🙂

Re: How to use two different search time ranges in one splunk rule?

veromihaiu — Mon, 07 Oct 2019 13:39:41 GMT

Thanks for the response! It worked!

Re: How to use two different search time ranges in one splunk rule?

veromihaiu — Mon, 07 Oct 2019 13:41:01 GMT

Thank you! 🙂