Alerting

How to calculate the cumulative count of events using relative timeframes?

arthurabreu
Explorer

Hi,

I need to create a search that calculates the cumulative count of a specific event during the weekend.

I have the following query, that will give me the count of distinct hosts that have EventID 6009. These events can happen anytime during the weekend.

index=win_logs sourcetype=System EventID=6009 | stats dc(host) AS TotalHostCount

I've created an alert that will run this search every 2 hours during the weekends (Saturdays AND Sundays) and send an email with the current count, so we can monitor the progress. I did the schedule using cron.

But I am struggling with the right time modifiers to use with the cron schedule... I want to lock my timeframe to look at events between Saturdays 12:00:00AM and Mondays 12:00:00AM

I tried to use earliest=@w6 and it will lock my search to start on Saturdays but when the alert is triggered again on Sunday, it will be considered a new week (w0) and therefore w6 will be a date in the future messing the whole thing up...

Any ideas ?

Thanks!

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Okay, try something like this...

earliest=-1d@w5+1d 

or

earliest=-1d@w+6d

Try

earliest=-1d@w6

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Okay, try something like this...

earliest=-1d@w5+1d 

or

earliest=-1d@w+6d

Try

earliest=-1d@w6

arthurabreu
Explorer

Hi DalJeanis.

Thanks for your suggestion but as I mentioned on my original question, I have to lock in a specific timeframe (Saturdays 12:00:00AM and Mondays 12:00:00AM) and still be able to execute the query every 2 hours during the weekend.
earliest=-1d@w6 will work fine for Sunday, but if I run the query it on Saturday it will give me results from Friday, which is outside the desired timeframe.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@arthurabreu - updated the answer, try the new code.

0 Karma

arthurabreu
Explorer

thank you, that did the trick! 🙂

Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...