Getting Data In

Finding the duration of time spent in two different states of the system



I am working in a system which looks for DFS (Dynamic Frequency Selection) channels. The search starts with the following event:


If if find a DFS channel then the search ends with CAC_COMPLETED and stays in DFS channel. If there is a radar detected, then the search ends with CAC_STOPPED and the system switches to non-DFS channel. Later the system again searches for DFS channel with CAC_STARTED and the patter follows. 

I am trying to calculate the time spent on DFS and non-channels in a day. 

Can someone please help me with the queries. I tried the following: 

index=* mac="0cf9c0fef6fe" ("ACI_CAC_COMPLETED")
| sort _time
| stats max(_time) as maxtime min(_time) as mintime
| eval maxt=strftime(maxtime,"%d:%H:%M:%S")
| eval mint=strftime(mintime,"%d:%H:%M:%S")

This gives me the total time spend on DFS channel BUT only if the system has never switched to non-DFS channel, ie., the ACI_CAC_STOPPED event never appeared in the whole span. How do I check if there was a ACI_CAC_STOPPED event in between an calculate the dfs and non-dfs time spent durations? Please advise.

Labels (1)
0 Karma


Sorry I realised the query I have pasted is also wrong, I wanted to paste the below instaed:

index=* mac="783e535cf278" ("ACI_CAC_COMPLETED")
| stats max(_time) as maxtime min(_time) as mintime
| eval difference=maxtime-mintime
| eval difference=strftime(difference,"%d:%H:%M:%S")

Sorry for the mess, this is my first time here, so please bear with me :).

0 Karma


 clarify CAC_COMPLETED and ACI_CAC_COMPLETED are same, all the events are prefixed with ACI_. Sorry for the cofusion.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...