Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

evaluate time range in splunk event data and alert

GEB
Explorer
‎12-08-2021 12:58 PM

Given an event log specification of:
"{DateTime} Times:
Online_1: CNCT_TM: {CNCT_TM}; LOG_TM: {LOG_TM}
Online_2: CNCT_TM: {CNCT_TM}; LOG_TM: {LOG_TM}
Offline_1: CNCT_TM: {CNCT_TM}; LOG_TM: {LOG_TM}
Offline_2: CNCT_TM: {CNCT_TM}; LOG_TM: {LOG_TM}"

which is logged 4 times a day and an example entry like:
"2021-12-08 14:31:59 Times: Online_1: CNCT_TM: 2021-12-08 14:47:13.873; LOG_TM: 2021-12-08 14:47:16.387; Online_2: CNCT_TM: 2021-12-08 14:47:49.837; LOG_TM: 2021-12-08 14:47:50.480; Offline_1: CNCT_TM: 2021-12-08 14:48:27.303; LOG_TM: 2021-12-08 14:48:28.927; Offline_2: CNCT_TM: 2021-12-08 14:48:56.673; LOG_TM: 2021-12-08 14:48:58.750"

How do I evaluate and graph the time range in Minutes and Seconds (just seconds would be fine for me) between the maximum and minimum times embedded in the 8 times captured in the log entry?  Ultimately, I would like to create an alert if a time range greater than something like 30 minutes were to occur.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-08-2021 02:34 PM 
| makeresults
| eval _raw="2021-12-08 14:31:59 Times: Online_1: CNCT_TM: 2021-12-08 14:47:13.873; LOG_TM: 2021-12-08 14:47:16.387; Online_2: CNCT_TM: 2021-12-08 14:47:49.837; LOG_TM: 2021-12-08 14:47:50.480; Offline_1: CNCT_TM: 2021-12-08 14:48:27.303; LOG_TM: 2021-12-08 14:48:28.927; Offline_2: CNCT_TM: 2021-12-08 14:48:56.673; LOG_TM: 2021-12-08 14:48:58.750"



| rex max_match=0 "_TM:\s(?<timestamp>[^;]+)"
| eval timestamp=mvmap(timestamp,strptime(timestamp,"%Y-%m-%d %H:%M:%S.%Q"))
| eval earliest=mvindex(mvsort(timestamp),0)
| eval latest=mvindex(mvsort(timestamp),-1)
| eval timespan=latest-earliest

View solution in original post

Reply
Solved! Jump to solution

GEB
Explorer
‎12-09-2021 06:51 AM

Sending thanks to ITWhisperer

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-08-2021 02:34 PM 
| makeresults
| eval _raw="2021-12-08 14:31:59 Times: Online_1: CNCT_TM: 2021-12-08 14:47:13.873; LOG_TM: 2021-12-08 14:47:16.387; Online_2: CNCT_TM: 2021-12-08 14:47:49.837; LOG_TM: 2021-12-08 14:47:50.480; Offline_1: CNCT_TM: 2021-12-08 14:48:27.303; LOG_TM: 2021-12-08 14:48:28.927; Offline_2: CNCT_TM: 2021-12-08 14:48:56.673; LOG_TM: 2021-12-08 14:48:58.750"



| rex max_match=0 "_TM:\s(?<timestamp>[^;]+)"
| eval timestamp=mvmap(timestamp,strptime(timestamp,"%Y-%m-%d %H:%M:%S.%Q"))
| eval earliest=mvindex(mvsort(timestamp),0)
| eval latest=mvindex(mvsort(timestamp),-1)
| eval timespan=latest-earliest
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...