Splunk Enterprise Security

What does rt-5m@m to rt-65m@m time-range mean?

nabeel652
Builder

Hi Guys

In Splunk ES there is correlation search "Excessive Failed Logins" which has time range set to latest=rt-5m@m earliest=rt-65m@m. It is scheduled */5 * * * *
Can't understand what rt means in the time ranges

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ nabeel652,
it means that:

  • the time range of this search is an hour,
  • from the start of 65 minutes to 5 minutes in the past,
  • @m means that the time range is taken from the start of the minute (0 seconds),
  • rt means that the time range is continuously updated,
  • the scheduled time is probably */5 * * * * (I cannot see it in your question, please, use the "Code Sample" option) and it means that it's scheduled to run every 5 minutes.

Ciao and Happy New Year.
Giuseppe

nabeel652
Builder

thanks @gcusello

I know the rest of the stuff, just confused about rt part. Can you elaborate it a bit what does continuously update means?

Yest it was */5 * * * * that was missed due to formatting.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nabeel652,
at first, I don't like real time searches because they are very expensive in terms of resources usage! so I usually try to avoid them (remember that every search takes a CPU and release it only when finished!).

Anyway, real time means that you continously use the new received logs in your search, you can easily see this running a simple search in your search dashboard and using a real time time frame: you can see displayed one by one all the events that you're receiving during the search execution, instead to block the visualization to the search time period.

Ciao and Happy New Year.
Giuseppe

0 Karma

nabeel652
Builder

Thanks a lot gcusello

Sorry for being dumb, when I run a realtime search in the dashboard it is continuous. But what confuses me here is that it is scheduled for running every five minutes. So what does it mean? It executes on say 00 past the hour and it is real time I believe it will keep running perpetually scanning the newly received events continuously. However, what'd happen at 05 past the hour. Or it'll run once on real time data and then stop and run again on realtime data once after five minutes? If this is the case we are already looking five minutes back in the time range i. e rt-5m@m

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nabeel652,

tell me if I can help you more, otherwise, please, accept myanswer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello
SplunkTrust
SplunkTrust

Hi @nabeel652,
you're right to be confused by this thing, even I can't tell you why there is an alarm scheduled every five minutes that works in real time and with the @m option, it would have been the same thing to have a search not in real time and schedule the alert every minute.
Instead you are wrong when you say "It executes on say 00 past the hour": the alert has the whole frame as time frame, not the whole hours, so it is executed at 02.00.00 and takes the data at 00.55.00 at 01.55. 00, then after a minute from 00.56.00 to 01.56.00 and so on.
The only reason I can think that real time is useful is if there are events received with a delay of more than five minutes that belong to the reference time frame, because with real time they are considered, while they would not be if I had a fixed time frame.

Ciao and Happy New Year.
Giuseppe

Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...