Splunk Enterprise Security

## I am searching for a query

Engager

I am new to Splunk (Enterprise Security) and I am stuck on making a certain correlation search.

An example of the events I get:

1) 1/1/2018 12:00:00 | voltage=200
2) 1/1/2018 12:00:01 | voltage=400
3) 1/1/2018 12:00:02 | voltage=200
4) 1/1/2018 12:00:03 | voltage=200

Is it possible to get the events in a range of 1 second of each other where the difference in voltage is more than 100?

So what I mean is that I need for every combination of 1 second a control that the difference is more than 100.
So the result needs to be:
- event 1: difference between 1 and 2 in voltage is more than 100
- event 2: difference between 2 and 3 in voltage is more than 100

Can someone help me with this? I have no clue how to solve this one...
Many thanks!

1 Solution
Legend

This assumes that your readings are ALWAYS every 1 second and you just mean successive readings with voltage difference more than 100.

``````    your current search giving above results
| streamstats current=t window=2 range(voltage) as voltage_difference
| reverse
| streamstats current=f window=1 last(voltage_difference) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
``````

This assumes that your readings may happen at other intervals and you are only interested in those that are within 1 second of each other with voltage difference more than 100.

``````    your current search giving above results
| streamstats current=t time_window=1s range(voltage) as voltage_difference
| reverse
| streamstats current=t time_window=1s range(voltage) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
``````
Engager

Thanks for the answers!

Now I have another question following on the previous one:
How can I make it that way, an event is triggered when this event happens X times over 10 seconds for example?

Legend

This assumes that your readings are ALWAYS every 1 second and you just mean successive readings with voltage difference more than 100.

``````    your current search giving above results
| streamstats current=t window=2 range(voltage) as voltage_difference
| reverse
| streamstats current=f window=1 last(voltage_difference) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
``````

This assumes that your readings may happen at other intervals and you are only interested in those that are within 1 second of each other with voltage difference more than 100.

``````    your current search giving above results
| streamstats current=t time_window=1s range(voltage) as voltage_difference
| reverse
| streamstats current=t time_window=1s range(voltage) as voltage_difference2
| where (voltage_difference > 100) OR (voltage_difference2 > 100)
| reverse
``````
Esteemed Legend

Here are a couple of different ways, all starting with this to generate fake event data:

``````|makeresults
| eval raw="1/1/2018 12:00:00 | voltage=200:::1/1/2018 12:00:01 | voltage=400:::1/1/2018 12:00:02 | voltage=200:::1/1/2018 12:00:03 | voltage=200"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| eval _time=strptime(_raw, "%m/%d/%Y %H:%M:%S")
| rex "voltage=(?<voltage>\d+)"
| streamstats count AS SERIAL
``````

Here is one way:

``````| reverse
| streamstats time_window=2 range(voltage) AS voltage_span
| search voltage_span>100
| reverse
``````

Here is another way that presumes you have exactly 1 measure/second:

``````| reverse
| autoregress voltage AS prev_voltage
| where abs(voltage - prev_voltage) > 100
| reverse
``````

And yet another way that presumes you have exactly 1 measure/second:

``````| reverse
| streamstats current=f window=1 last(voltage) as prev_voltage
| where abs(voltage - prev_voltage) > 100
| reverse
``````
Revered Legend

Give this a try

``````your current search giving above results
| streamstats current=f window=1 values(voltage) as prev_voltage
| where abs(prev_voltage-voltage)>100
``````
Get Updates on the Splunk Community!

#### Autoscaling Kubernetes Workloads with Splunk

About What if you had the ability to scale your Kubernetes pods as a result of information output from Splunk? ...

#### Discover SplunkTrust and MVP Articles, Instant Translation, and More on Splunk ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

#### Integrating Kubernetes and Splunk Observability Cloud

We need end-to-end insight into our application environments to confidently ensure everything is up and ...