Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- How to aggregate events per host per hour?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to aggregate events per host per hour?
Hello,
I believe this does not give me what I want but it does at the same time. After events are indexed I'm attempting to aggregate per host per hour for specific windows events.
More specifically I don't see to see that a host isn't able to log 17 times within 1 hour. One alert during that period of time is what I'm looking for.
index=wineventlog EventCode=521 OR EventCode=4617 |bucket _time span=1h | chart count by host
This shows me a total of the alerts that took place within an hour but doesn't necessarily aggregate if I wanted to make an alert for it unless I'm mistaken.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like
index=wineventlog EventCode=521 OR EventCode=4617 | timechart span=1h count by host
or
index=wineventlog EventCode=521 OR EventCode=4617 | timechart span=1h sum(eval(EventCode=521)) as 521 sum(eval(EventCode=4617)) as 4617 by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to make a search you can schedule to run once every hour and alert if the total count of events in that hour for a given host exceeds a threshold? Or do you want to make a table of host many events per host were seen each hour and then only retain the rows where the count exceeded a threshold? It would help a lot to know your end goal.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
End goal is instead of having 17 alerts on the same host for the same event (in this case, unable to log) I just want 1 alert for all 17 events based on :insert host:.
So for instance.
If host x,y and z fire this alert I would want three alerts because the host is different and not because the alert simply fired again.
There is no threshold more like an aggregation of the events over the course of an hour so that only 1 alert fires.
Sorry for not being more specific.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the meantime, you could try the following searches to see if they are showing you what you want:
index=wineventlog EventCode=521 OR EventCode=4617
| bin span=1h _time
| stats count by _time, host
or
index=wineventlog EventCode=521 OR EventCode=4617
| bin span=1h _time
| chart count by _time, host
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
