https://community.splunk.com/t5/Splunk-Search/Need-Help-with-a-Splunk-query/m-p/687203#M234386 <P>I tried something like this&nbsp;</P> <LI-CODE lang="markup">index=abc ("Aggregator * is Error" OR "Aggregator * is Up") NJ12GC102 | rex field=_raw "Aggregator\s(?&lt;aggregator&gt;[^\s]+)\sis\s(?&lt;aggregator_status&gt;\w+)\s" | streamstats current=t global=f window=2 range(_time) as time_diff by aggregator,aggregator_status | streamstats current=t global=f window=2 range(_time) as time_diff2 by aggregator | table _time aggregator aggregator_status time_diff time_diff2 |</LI-CODE> <P><BR /><BR />But the output is now what I needed. For that I would need to change the window=2, but it brings more issues.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="phularah_1-1715358409563.png" style="width: 555px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30773i545C40D23ABB2964/image-dimensions/555x287?v=v2" width="555" height="287" role="button" title="phularah_1-1715358409563.png" alt="phularah_1-1715358409563.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 10 May 2024 20:28:10 GMT phularah 2024-05-10T20:28:10Z https://community.splunk.com/t5/Splunk-Search/Need-Help-with-a-Splunk-query/m-p/687194#M234382 <P>So, I have data like this after I ran a query.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="phularah_1-1715356433010.png" style="width: 628px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30771i9C5F33183DD9D6A8/image-dimensions/628x157?v=v2" width="628" height="157" role="button" title="phularah_1-1715356433010.png" alt="phularah_1-1715356433010.png" /></span></P><P>For each aggregator, if the aggregator_status is <STRONG>Error</STRONG> and before15 minutes, the aggregator_status becomes Up, alert should not run. But, if the aggregator_status is still <STRONG>Error</STRONG> or no new event comes, alert should trigger. The <STRONG>Time</STRONG> field is epoch time which I am thinking can be used to find difference in Up and Error status times.<BR /><BR />How do I create such a query for the alert? I am thinking of using foreach command or some sort of streamstats, but I am unable to resolve this issue. The alert needs to run once every 24 hours.<BR /><BR /></P> Fri, 10 May 2024 15:59:47 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-with-a-Splunk-query/m-p/687194#M234382 phularah 2024-05-10T15:59:47Z https://community.splunk.com/t5/Splunk-Search/Need-Help-with-a-Splunk-query/m-p/687203#M234386 <P>I tried something like this&nbsp;</P> <LI-CODE lang="markup">index=abc ("Aggregator * is Error" OR "Aggregator * is Up") NJ12GC102 | rex field=_raw "Aggregator\s(?&lt;aggregator&gt;[^\s]+)\sis\s(?&lt;aggregator_status&gt;\w+)\s" | streamstats current=t global=f window=2 range(_time) as time_diff by aggregator,aggregator_status | streamstats current=t global=f window=2 range(_time) as time_diff2 by aggregator | table _time aggregator aggregator_status time_diff time_diff2 |</LI-CODE> <P><BR /><BR />But the output is now what I needed. For that I would need to change the window=2, but it brings more issues.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="phularah_1-1715358409563.png" style="width: 555px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30773i545C40D23ABB2964/image-dimensions/555x287?v=v2" width="555" height="287" role="button" title="phularah_1-1715358409563.png" alt="phularah_1-1715358409563.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 10 May 2024 20:28:10 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-with-a-Splunk-query/m-p/687203#M234386 phularah 2024-05-10T20:28:10Z https://community.splunk.com/t5/Splunk-Search/Need-Help-with-a-Splunk-query/m-p/687222#M234395 <P>It might be doable with the transaction command but it's usually not a good idea (transaction is a relatively "heavy" command and has its limitations).</P><P>I'd go with streamstats and reset_before, reset_after and time_window options. (can't give you a ready-made answer at the moment since I'm away from my Splunk environment but that's the way I'd try)</P> Fri, 10 May 2024 19:52:16 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-with-a-Splunk-query/m-p/687222#M234395 PickleRick 2024-05-10T19:52:16Z https://community.splunk.com/t5/Splunk-Search/Need-Help-with-a-Splunk-query/m-p/687241#M234406 <P>Try starting with something like this</P><LI-CODE lang="markup">| streamstats values(aggregator_status) as previous_aggregator_status by aggregator window=1 current=f global=f | eval changetime=if((aggregator_status="Up" and previous_aggregator_status="Error") or (aggregator_status="Error" and previous_aggregator_status="Up"),_time,null()) | where isnotnull(changetime) | streamstats current=t global=f window=2 range(_time) as time_diff2 by aggregator | where aggregator_status="Error"</LI-CODE> Sat, 11 May 2024 08:52:43 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-with-a-Splunk-query/m-p/687241#M234406 ITWhisperer 2024-05-11T08:52:43Z