Splunk Enterprise Security

What does rt-5m@m to rt-65m@m time-range mean?

nabeel652
Builder

Hi Guys

In Splunk ES there is correlation search "Excessive Failed Logins" which has time range set to latest=rt-5m@m earliest=rt-65m@m. It is scheduled */5 * * * *
Can't understand what rt means in the time ranges

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ nabeel652,
it means that:

  • the time range of this search is an hour,
  • from the start of 65 minutes to 5 minutes in the past,
  • @m means that the time range is taken from the start of the minute (0 seconds),
  • rt means that the time range is continuously updated,
  • the scheduled time is probably */5 * * * * (I cannot see it in your question, please, use the "Code Sample" option) and it means that it's scheduled to run every 5 minutes.

Ciao and Happy New Year.
Giuseppe

0 Karma

nabeel652
Builder

thanks @gcusello

I know the rest of the stuff, just confused about rt part. Can you elaborate it a bit what does continuously update means?

Yest it was */5 * * * * that was missed due to formatting.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nabeel652,
at first, I don't like real time searches because they are very expensive in terms of resources usage! so I usually try to avoid them (remember that every search takes a CPU and release it only when finished!).

Anyway, real time means that you continously use the new received logs in your search, you can easily see this running a simple search in your search dashboard and using a real time time frame: you can see displayed one by one all the events that you're receiving during the search execution, instead to block the visualization to the search time period.

Ciao and Happy New Year.
Giuseppe

0 Karma

nabeel652
Builder

Thanks a lot gcusello

Sorry for being dumb, when I run a realtime search in the dashboard it is continuous. But what confuses me here is that it is scheduled for running every five minutes. So what does it mean? It executes on say 00 past the hour and it is real time I believe it will keep running perpetually scanning the newly received events continuously. However, what'd happen at 05 past the hour. Or it'll run once on real time data and then stop and run again on realtime data once after five minutes? If this is the case we are already looking five minutes back in the time range i. e rt-5m@m

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nabeel652,
you're right to be confused by this thing, even I can't tell you why there is an alarm scheduled every five minutes that works in real time and with the @m option, it would have been the same thing to have a search not in real time and schedule the alert every minute.
Instead you are wrong when you say "It executes on say 00 past the hour": the alert has the whole frame as time frame, not the whole hours, so it is executed at 02.00.00 and takes the data at 00.55.00 at 01.55. 00, then after a minute from 00.56.00 to 01.56.00 and so on.
The only reason I can think that real time is useful is if there are events received with a delay of more than five minutes that belong to the reference time frame, because with real time they are considered, while they would not be if I had a fixed time frame.

Ciao and Happy New Year.
Giuseppe

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.