- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- how to create bucket over a period of 3 days?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to create bucket over a period of 3 days?
Hello Folks,
We're trying to set up an alert for user contacting malware websites constantly. For eg user A attempts to access "malware" category website on day 1, day 2 and day 3, if it has happened on all 3 days then should be flagged.
Base search:
index=proxy url=* category="malware"
Tried to add below after the base seach but doesn't seem to be creating 3 buckets.
| bin _time bins=3 | stats count by _time
Any help or pointers?
Thanks in advance!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you looking for this?
maxHotSpanSecs =
* Upper bound of timespan of hot/warm buckets in seconds.
https://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Indexesconf
maxHotSpanSecs = 259200
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
I have not tried this one yet , but i got some answers for this same issue
You can't set a time retention on hot or warm buckets. Only by size in MB. This is one of my huge gripes in Splunk.
You can use the Monitoring Console to gain some insight into how much data is in your hot/warm directories (x amount of days, for instance). The only time retention I've found is based on moving data from cold into frozen
Link to the original answer : https://answers.splunk.com/answers/501003/could-i-set-the-the-time-limit-on-hotwarm-buckets.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply.
Not sure if I aksed question correctly. Our aim is to get 3 bins when we execute splunk search and if it matches the criteria.
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below query seems to be giving me answer nearly what we after
index=proxy logs url=* category="malware" | bucket _time span=24h | stats count by _time,user
Results are something like this when I run for 2 days:
_time user count
2018-10-24 10:00 A 1
2018-10-24 10:00 B 11
2018-10-24 10:00 C 3
2018-10-25 10:00 A 1
2018-10-25 10:00 D 9
2018-10-25 10:00 E 10
Now, as we can see that user A has appeared twice in the search, is there a way to display the results only for user A and filter out rest?
Thanks
Enterprise Security Content Update (ESCU) | New Releases
Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest
We’ve Got Education Validation!
