Hello,
I have this search:
source="tcp:5543" Requester="uka*" hostname="L05236"|stats count | rangemap field=count severe=0-0 elevated=1-50 default=low
I want to know if it's possible to say in this search that between 00:00 and 10:00 severe=0-0, between 10:00 and 16:00 severe=0-10.
thanks by advance
I believe that you can rewrite the value of range
like this:
source="tcp:5543" Requester="uka*" hostname="L05236" | stats count values(date_hour) AS dh | rangemap field=count severe=0-0 elevated=1-50 default=low | eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)
UPDATE
source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low | eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)
should probably be rewritten like
source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count(Event) AS ST by date_hour |rangemap field=ST severe=0-0 elevated=1-50 default=low | eval range=if(date_hour>9 AND date_hour<16 AND ST<11, "severe", range)
EDIT: typo
Hope this helps,
Kristian
It's worked very well. I put count>11 because I change my criterias. I just put count because count allows to count the number of events returns by the search and it's exactly that I want to do. Thanks very much to your help.
Laura
Ok, the count(Event) was some type of pseudo-code? In any case, I am happy that it works for you, but you are now saying count>11, rather than count<11. I do not think that is what you want, at least not according to your original post.
Please mark as "answered" if your question has been resolved.
Thanks,
K
My problem is resolved. Thanks very much.
This is my final search:
source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") |stats count by date_hour |rangemap field=count severe=0-0 elevated=1-50 default=low | eval range=if(date_hour>9 AND date_hour<16 AND count>11, "severe", range)
Updated and confirmed that it works. Had to fix a few typos, sorry about that. Do you want count(Event)
or just count
, which is the same as count(_raw)
, i.e. the raw event.
If you want to run your search over more than 24 hours, you'll need to combine date_hour with other date_* fields, or use timechart
.
/k
Please don't post questions as answers. It makes it very hard to actually see the questions you're asking.
The problem is that I want to count the number of events by hour and with the result by hour, I want to apply the range on the results but actually I've got this search:
source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low by| eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)
Thanks by advance if you know the solution of this problem.
Laura
The field date_hour
is extracted by default for almost all sourcetypes (like punct, timestartpos
etc), but not for Windows Event Logs.
The problem is also present in a search bar. I think the problem is "stats count values(date_hour) AS dh" because in my table there aren't the values of dh so next, it can't compare dh with 9 and 16...
Thanks by advance if you know the solution of this problem.
Laura
The problem is that I want to count the number of events by hour and with the result by hour, I want to apply the range on the results but actually I've got this search:
source="tcp:5543" Requester="uka*" hostname="L05236" |eval date_hour=strftime(_time, "%H") | stats count values(date_hour) AS dh | stats count(Event) as ST by dh |rangemap field=ST severe=0-0 elevated=1-50 default=low by| eval range=if(dh>9 AND dh<16 AND count<11, "severe", range)
Thanks by advance if you know the solution of this problem.
Laura
Not my field of expertise, but you might benefit from this question and answer regarding characters being interpreted as part of the XML:
http://splunk-base.splunk.com/answers/30157/inputlookup-in-view-with-rex
/k
Thx very much. How can I put in a xml file because when I put it in my dashboard xml file, I got an error. I thinks it's the "<" which is the problem.
Thx by advance,
Laura
Updated. However, what do you want to happen when a search spans from 08:00 to 13:00?
/kristian