topic Re: How to FILTER same events whit two or more fields in a time interval? in Splunk Search

How to FILTER same events whit two or more fields in a time interval?

DG3bran — Tue, 13 Sep 2022 20:34:49 GMT

Hello team !!

Im working whit CDR of SMS and I have to find a way to visualize that two fields are repeated more than 10 times in a minute

Could you help me find a way to do it?

This is a part of my CDR

14:00:06.495844|2022-09-13 14:00:06.495847|2022-09-13 14:00:06|MT|3385251555|56271948588

origin:3385251555

dest:56271948588

I want to see when it repeats the same origin and the same destination more than 10 times in 1 minute

Thank you very much for your help and time

Re: How to FILTER same events whit two or more fields in a time interval?

bowesmana — Wed, 14 Sep 2022 02:00:21 GMT

Use streamstats or stats, e.g. with stats you can use

search... | bin _time span=1m | stats count by _time origin dest | where count>10

which will do 1 minute boundary counting, so if you get 9 occurrences between 9:00:45 and 9:00:52 and then another 5 at 9:01:02 it will not find this. To find these examples, use streamstats, e.g.

| streamstats time_window=1m count by origin dest | where count>10 | bin _time span=1m | stats max(count) as max by _time origin dest

Note these examples assume origin and dest are fields in your data, but hopefully this will give you something to go with

Re: How to FILTER same events whit two or more fields in a time interval?

DG3bran — Wed, 14 Sep 2022 12:45:03 GMT

Thanks very much for you help . I´ll check