topic Re: how to select only one event in Splunk Search

How to select only one event?

disasters — Mon, 13 Feb 2023 17:11:54 GMT

My query is this.

index=log AND 1378

There are two event

20230112, 1378, error A/B/C, duration 100

20230112, 1378, error A/B, duration 2

I want select only one event that duration greater than another event.

Re: how to select only one event

gcusello — Mon, 13 Feb 2023 10:45:39 GMT

Hi @disasters,

I suppose that you already extracted fields, so, please confirm:

you want to extract all the events for each event_id (1378) where there are more than one event and you want the one with the max duration, is it correct?

if this is your need, please try something like this:

index=log 1378 | stats earliest(timestamp) AS timestamp values(error) AS error max(duration) AS duration count BY event_id | where count>1

in addition, you don't need to use the AND operator because if you don't use a boolean operator is like AND.

Ciao.

Giuseppe

Re: how to select only one event

richgalloway — Mon, 13 Feb 2023 10:46:28 GMT

Assuming the duration field is already extracted, use eventstats to find the greatest duration then the where command can select the event with that value.

index=log AND 1378 | eventstats max(duration) as maxDuration | where duration = maxDuration

Re: how to select only one event

disasters — Tue, 14 Feb 2023 00:58:09 GMT

It works. Thank you!!

Re: how to select only one event

richgalloway — Tue, 14 Feb 2023 01:16:36 GMT

How should Splunk know which events to display? When does it choose the highest duration and when does it choose the first and third? Computers need rules to follow.

Re: how to select only one event

disasters — Tue, 14 Feb 2023 01:40:16 GMT

query

index=ddos
| rex field=_raw "(?<time>.*),(<alert_num>.*),(<error>.*),(<duration>.*)"

event

20230112, 1378, error A/B/C, duration 100

20230112, 1378, error A/B, duration 2

20230112, 1379, error A/B/D, duration 300

20230112, 1379, error A/B, duration 4

and then query

index=ddos
| rex field=_raw "(?<time>.*),(<alert_num>.*),(<error>.*),(<duration>.*)"

| eventstats max(duration) as maxDuration

| where duration=maxDuration

event (only 1)

20230112, 1379, error A/B/D, duration 300

I want to display two event that different alert_num

20230112, 1378, error A/B/C, duration 100

20230112, 1379, error A/B/D, duration 300

Re: how to select only one event

disasters — Tue, 14 Feb 2023 01:42:24 GMT

It works. Thank you.

but same problem i have. Please refer to above reply.

Re: how to select only one event

bowesmana — Tue, 14 Feb 2023 04:16:39 GMT

Your rex statement is wrong and even when fixed, it extracts duration as the string

duration 300

i.e. the full text, so you should use this rex

| rex field=_raw "(?<time>.*),(?<alert_num>.*),(?<error>.*),\s?duration\s+(?<duration>\d+)" | eventstats max(duration) as maxDuration by alert_num | where duration=maxDuration

so your duration field is extracted as a number rather than a string. Then simply add the by alert_num onto your eventstats.

Note that you should still make your regex more robust. Using a greedy .* wildcard selection can easily cause your regex to break. For example as you know your field delimiter is a comma, use

| rex field=_raw "(?<time>[^,]*),(?<alert_num>[^,]),(?<error>[^,]),\s?duration\s+(?<duration>\d+)"