Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search for a field that has occurred more than 50 times within a time period, say 5 mins ?

shakeel12
New Member
‎06-04-2017 09:34 PM

I have a search query like this,
index=ST sourcetype=CP | bin span=5m _time |stats dc(something) as total by _time,ip | where total >50

But this query only returns results occurred for every 5 mins not for every possible 5 mins.

The time column looks something like this.
_time
11:00
11:05
11:10
11:15

Is there a way to search for every instance of 5mins?

Tags (1)
0 Karma
Reply

cmerriman
Super Champion
‎06-05-2017 04:44 AM

try something like this:

index=ST sourcetype=CP|sort 0 _time|streamstats time_window=5m dc(something) as total by ip|search total>50

see if that gets you what you're looking for. time_window looks for events within the last X seconds, minutes, etc.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Streamstats

if it doesn't work right, try putting the important data into a table before you do the streamstats.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...