How to find the impacted records in last few minut...

Real_captain

Hi

I want to know if it is possible to show the number of impacted records in last 15 mins for the below search:

Query: index = events_prod_tio_omnibus_esa ( "SESE023" OR "SESE020" OR "SESE030" )

Result:

Requirement :

For the above search, if the search is executed at :
11:30 ==> It will show 0 records

11:40 ==> It will show 2 records (as the last event raised on 11:37:14 is having 2 records and currenttime - event time < 15 mins)

11:50 ==> It will show 2 records (as the last event raised on 11:37:14 is having 2 records and currenttime - event time < 15 mins)

11:55 ==> It will show 0 records (as the last event raised on 11:37:14 is having 2 records but currenttime - event time >15 mins)

Real_captain

Thanks @ITWhisperer for an update.

If I have to create Dashboard which will only display the number of records (example 2) if it is within 15 mins and 0 if latest event is less than 15 mins.

Is it possible to create such dashboard ??

ITWhisperer

If I understand correctly, then yes; you could use a single to display a number, you just need a search to calculate the number for your. The stats command can easily count the number of events returned by the search.

Real_captain

Hi @ITWhisperer

My requirement is to fetch the value from the latest event (even if I restrict the search to 30 mins).

Example :

Query : index = events_prod_tio_omnibus_esa ( "SESE023" ) sourcetype=Log_mvs
| rex field=msg "(ADV|ALERT REACH)\s* (?<Nb_msg>[^\s]+)"
| rex field=msg "NB\s* (?<Msg_typ>[^\s]+)"
| table Nb_msg

Result :

I want to display the value "Nb_msg" in the result if there is any event in the last 15 mins. if there is no event in the last 15 mins , then display the value "0" in the result.

Currently with the query (attached above) , i am getting the value "Nb_msg" from all the events generated in last 15 mins.

ITWhisperer

I am not sure I understand - if you restrict the search to the last 15 minutes, you will either get a number of events or none. If you want to determine how many events you have you could do this

index = events_prod_tio_omnibus_esa ( "SESE023" ) sourcetype=Log_mvs
| rex field=msg "(ADV|ALERT REACH)\s* (?<Nb_msg>[^\s]+)"
| rex field=msg "NB\s* (?<Msg_typ>[^\s]+)"
| table Nb_msg
| appendpipe
  [| stats count]
| table count
| where isnotnull(count)

Real_captain

Sorry , my query was not that.

I will try to explain it again.

Query :

index = events_prod_tio_omnibus_esa ( "SESE030" ) sourcetype=Log_mvs
| rex field=msg "(ADV|ALERT REACH)\s* (?<Nb_msg>[^\s]+)"
|stats latest(Nb_msg) as Back_log

If there is no record fetched in last 15 mins , then currently it is showing "No results found. Try expanding the time range." I will to display the number as 0 instead of "No results found. Try expanding the time range.".

Is it possible ??

ITWhisperer

Try the appendpipe as I suggested

index = events_prod_tio_omnibus_esa ( "SESE030" ) sourcetype=Log_mvs
| rex field=msg "(ADV|ALERT REACH)\s* (?<Nb_msg>[^\s]+)"
|stats latest(Nb_msg) as Back_log
| appendpipe
  [| stats count
   | where count=0
   | rename count as Back_log]
| table Back_log

ITWhisperer

It looks like your event time is already in the _time field i.e. your timestamp parsing appears to be correct, therefore, if you restrict your search to the last 15 minutes, you won't get any events prior to that.

How to find the impacted records in last few minutes ?

proactive Splunk component monitoring

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector