I have below splunk which gets me all entityID's with count
index=coreprod pod=xxxx CASE(xxxxxx) event=ack |stats count by entityId |where count>1
I want to list ONLY those entityID's where the difference between their occurrence is less than 1hr (0r xx min
index=coreprod pod=xxxx CASE(xxxxxx) event=ack earliest=-1h | stats count by entityId |where count>1
Thanks @ITWhisperer But this is ONLY for LAST 1h. I want to pull all output of YESTERDAY and see within that how many duplicate events had a gap of 1h or 30m or xx
Do you mean something like this?
index=coreprod pod=xxxx CASE(xxxxxx) event=ack
| streamstats range(_time) as range global=f window=2 by entityId
| where range < 3600
| stats count
@ITWhisperer Let me try explaining with an example.My original splunk gives below output for YESTERDAY.I know that A2 and A3 event occurred within a span of 30min whereas BOTH the A1 events occurred within a gap of 2h
entityId | Count |
A1 | 2 |
A2 | 2 |
A3 | 3 |
Iam trying to see (using splunk) if there is some way to list ONLY for YESTERDAY since these 2 records fulfil the criteria of having occurred within 30min
entityId | Count |
A2 | 2 |
A3 | 3 |
| sort 0 _time
| streamstats range(_time) as range window=2 global=f by entityId
| eval range=if(range > 0,range,null())
| eventstats min(range) as range by entitiyId
| where range < 1800
| stats count by entityId
| eval count = count + 1