Hi Guys
In Splunk ES there is correlation search "Excessive Failed Logins" which has time range set to latest=rt-5m@m earliest=rt-65m@m. It is scheduled */5 * * * *
Can't understand what rt means in the time ranges
Hi @ nabeel652,
it means that:
@m
means that the time range is taken from the start of the minute (0 seconds),rt
means that the time range is continuously updated,*/5 * * * *
(I cannot see it in your question, please, use the "Code Sample" option) and it means that it's scheduled to run every 5 minutes.Ciao and Happy New Year.
Giuseppe
thanks @gcusello
I know the rest of the stuff, just confused about rt part. Can you elaborate it a bit what does continuously update means?
Yest it was */5 * * * *
that was missed due to formatting.
Hi @nabeel652,
at first, I don't like real time searches because they are very expensive in terms of resources usage! so I usually try to avoid them (remember that every search takes a CPU and release it only when finished!).
Anyway, real time means that you continously use the new received logs in your search, you can easily see this running a simple search in your search dashboard and using a real time time frame: you can see displayed one by one all the events that you're receiving during the search execution, instead to block the visualization to the search time period.
Ciao and Happy New Year.
Giuseppe
Thanks a lot gcusello
Sorry for being dumb, when I run a realtime search in the dashboard it is continuous. But what confuses me here is that it is scheduled for running every five minutes. So what does it mean? It executes on say 00 past the hour and it is real time I believe it will keep running perpetually scanning the newly received events continuously. However, what'd happen at 05 past the hour. Or it'll run once on real time data and then stop and run again on realtime data once after five minutes? If this is the case we are already looking five minutes back in the time range i. e rt-5m@m
Hi @nabeel652,
tell me if I can help you more, otherwise, please, accept myanswer for the other people of Community.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @nabeel652,
you're right to be confused by this thing, even I can't tell you why there is an alarm scheduled every five minutes that works in real time and with the @m option, it would have been the same thing to have a search not in real time and schedule the alert every minute.
Instead you are wrong when you say "It executes on say 00 past the hour": the alert has the whole frame as time frame, not the whole hours, so it is executed at 02.00.00 and takes the data at 00.55.00 at 01.55. 00, then after a minute from 00.56.00 to 01.56.00 and so on.
The only reason I can think that real time is useful is if there are events received with a delay of more than five minutes that belong to the reference time frame, because with real time they are considered, while they would not be if I had a fixed time frame.
Ciao and Happy New Year.
Giuseppe