Splunk Enterprise Security

## I am searching for a query

Engager

I am new to Splunk (Enterprise Security) and I am stuck on making a certain correlation search.

An example of the events I get:

1) 1/1/2018 12:00:00 | voltage=200
2) 1/1/2018 12:00:01 | voltage=400
3) 1/1/2018 12:00:02 | voltage=200
4) 1/1/2018 12:00:03 | voltage=200

Is it possible to get the events in a range of 1 second of each other where the difference in voltage is more than 100?

So what I mean is that I need for every combination of 1 second a control that the difference is more than 100.
So the result needs to be:
- event 1: difference between 1 and 2 in voltage is more than 100
- event 2: difference between 2 and 3 in voltage is more than 100

Can someone help me with this? I have no clue how to solve this one...
Many thanks!

1 Solution
Legend

This assumes that your readings are ALWAYS every 1 second and you just mean successive readings with voltage difference more than 100.

your current search giving above results
| streamstats current=t window=2 range(voltage) as voltage_difference
| reverse
| streamstats current=f window=1 last(voltage_difference) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse

This assumes that your readings may happen at other intervals and you are only interested in those that are within 1 second of each other with voltage difference more than 100.

your current search giving above results
| streamstats current=t time_window=1s range(voltage) as voltage_difference
| reverse
| streamstats current=t time_window=1s range(voltage) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
Engager

Now I have another question following on the previous one:
How can I make it that way, an event is triggered when this event happens X times over 10 seconds for example?

Legend

This assumes that your readings are ALWAYS every 1 second and you just mean successive readings with voltage difference more than 100.

your current search giving above results
| streamstats current=t window=2 range(voltage) as voltage_difference
| reverse
| streamstats current=f window=1 last(voltage_difference) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse

This assumes that your readings may happen at other intervals and you are only interested in those that are within 1 second of each other with voltage difference more than 100.

your current search giving above results
| streamstats current=t time_window=1s range(voltage) as voltage_difference
| reverse
| streamstats current=t time_window=1s range(voltage) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
Esteemed Legend

Here are a couple of different ways, all starting with this to generate fake event data:

|makeresults
| eval raw="1/1/2018 12:00:00 | voltage=200:::1/1/2018 12:00:01 | voltage=400:::1/1/2018 12:00:02 | voltage=200:::1/1/2018 12:00:03 | voltage=200"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| eval _time=strptime(_raw, "%m/%d/%Y %H:%M:%S")
| rex "voltage=(?<voltage>\d+)"
| streamstats count AS SERIAL

Here is one way:

| reverse
| streamstats time_window=2 range(voltage) AS voltage_span
| search voltage_span>100
| reverse

Here is another way that presumes you have exactly 1 measure/second:

| reverse
| autoregress voltage AS prev_voltage
| where abs(voltage - prev_voltage) > 100
| reverse

And yet another way that presumes you have exactly 1 measure/second:

| reverse
| streamstats current=f window=1 last(voltage) as prev_voltage
| where abs(voltage - prev_voltage) > 100
| reverse
Revered Legend

Give this a try

your current search giving above results
| streamstats current=f window=1 values(voltage) as prev_voltage
| where abs(prev_voltage-voltage)>100
Get Updates on the Splunk Community!

#### Digital Resilience Made Easier With GenAI

TECH TALKS Digital Resilience Made Easier With GenAI Thursday, September 5, 2024  |  11AM PST / 2PM ...

#### Optimize Cloud Monitoring

TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Watch ...

#### Behavior of Splunk OTeL Collector for Kubernetes chart with default settings

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will explain ...