Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I am searching for a query

matthiascarlier
Engager
‎04-20-2018 01:57 AM

I am new to Splunk (Enterprise Security) and I am stuck on making a certain correlation search.

An example of the events I get:

1) 1/1/2018 12:00:00 | voltage=200
2) 1/1/2018 12:00:01 | voltage=400
3) 1/1/2018 12:00:02 | voltage=200
4) 1/1/2018 12:00:03 | voltage=200

Is it possible to get the events in a range of 1 second of each other where the difference in voltage is more than 100?

So what I mean is that I need for every combination of 1 second a control that the difference is more than 100.
So the result needs to be:
- event 1: difference between 1 and 2 in voltage is more than 100
- event 2: difference between 2 and 3 in voltage is more than 100

Can someone help me with this? I have no clue how to solve this one...
Many thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-22-2018 04:19 PM

This assumes that your readings are ALWAYS every 1 second and you just mean successive readings with voltage difference more than 100.

    your current search giving above results
   | streamstats current=t window=2 range(voltage) as voltage_difference
   | reverse
   | streamstats current=f window=1 last(voltage_difference) as voltage_difference2
   | where (voltage_difference > 100) OR (voltage_difference2 > 100)
   | reverse

This assumes that your readings may happen at other intervals and you are only interested in those that are within 1 second of each other with voltage difference more than 100.

    your current search giving above results
   | streamstats current=t time_window=1s range(voltage) as voltage_difference
   | reverse
   | streamstats current=t time_window=1s range(voltage) as voltage_difference2
   | where (voltage_difference > 100) OR (voltage_difference2 > 100)
   | reverse

View solution in original post

Reply
Solved! Jump to solution

matthiascarlier
Engager
‎04-24-2018 03:02 AM

Thanks for the answers!

Now I have another question following on the previous one:
How can I make it that way, an event is triggered when this event happens X times over 10 seconds for example?

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-22-2018 04:19 PM

This assumes that your readings are ALWAYS every 1 second and you just mean successive readings with voltage difference more than 100.

    your current search giving above results
   | streamstats current=t window=2 range(voltage) as voltage_difference
   | reverse
   | streamstats current=f window=1 last(voltage_difference) as voltage_difference2
   | where (voltage_difference > 100) OR (voltage_difference2 > 100)
   | reverse

This assumes that your readings may happen at other intervals and you are only interested in those that are within 1 second of each other with voltage difference more than 100.

    your current search giving above results
   | streamstats current=t time_window=1s range(voltage) as voltage_difference
   | reverse
   | streamstats current=t time_window=1s range(voltage) as voltage_difference2
   | where (voltage_difference > 100) OR (voltage_difference2 > 100)
   | reverse
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-22-2018 02:36 PM

Here are a couple of different ways, all starting with this to generate fake event data:

|makeresults
| eval raw="1/1/2018 12:00:00 | voltage=200:::1/1/2018 12:00:01 | voltage=400:::1/1/2018 12:00:02 | voltage=200:::1/1/2018 12:00:03 | voltage=200"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| eval _time=strptime(_raw, "%m/%d/%Y %H:%M:%S")
| rex "voltage=(?<voltage>\d+)"
| streamstats count AS SERIAL

Here is one way:

| reverse
| streamstats time_window=2 range(voltage) AS voltage_span
| search voltage_span>100
| reverse

Here is another way that presumes you have exactly 1 measure/second:

| reverse
| autoregress voltage AS prev_voltage
| where abs(voltage - prev_voltage) > 100
| reverse

And yet another way that presumes you have exactly 1 measure/second:

| reverse
| streamstats current=f window=1 last(voltage) as prev_voltage
| where abs(voltage - prev_voltage) > 100
| reverse
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-20-2018 08:01 AM

Give this a try

your current search giving above results
| streamstats current=f window=1 values(voltage) as prev_voltage
| where abs(prev_voltage-voltage)>100
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...