Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SPL query returns inaccurate results

jiaminyun
Path Finder
‎01-19-2025 09:49 PM

We use the map function to query data, and both July and March data can be queried separately to obtain results. However, selecting the time as March to July will result in a regular display of only March data and loss of July results. The impact is significant now, and we hope you can help us check, or if we can implement it in a different way. I use SPL as follows:

index=edws sourcetype=edwcsv status="是" 
| stats earliest(_time) as earliest_time latest(_time) as latest_time 
| eval earliest_time=strftime(earliest_time, "%F 00:00:00") 
| eval latest_time=strftime(latest_time, "%F 00:00:00") 
| eval earliest_time=strptime(earliest_time, "%F %T") 
| eval earliest_time=round(earliest_time) 
| eval latest_time=strptime(latest_time, "%F %T") 
| eval latest_time=round(latest_time) 
| addinfo 
| table info_min_time info_max_time earliest_time latest_time
| eval searchEarliestTime=if(info_min_time == "0.000",earliest_time,info_min_time ) 
| eval searchLatestTime=if(info_max_time="+Infinity", relative_time(latest_time,"+1d"), info_max_time) 
| eval start=mvrange(searchEarliestTime, searchLatestTime, "1d")
| mvexpand start 
| eval end=relative_time(start,"+7d") 
| eval alert_date=relative_time(end,"+1d") 
| eval a=strftime(start, "%F") 
| eval b=strftime(end, "%F") 
| eval c=strftime(alert_date, "%F") 
| fields start a end b c
| map search="search earliest=\"$start$\" latest=\"$end$\"  
index=edws sourcetype=edwcsv status="是"    | bin _time span=1d  | stats dc(_time) as "访问敏感账户次数" by  date day name department number
    | eval a=$a$  | eval b=$b$ | eval c=$c$
    | stats sum(访问敏感账户次数) as count,values(day) as "查询日期" by a b c name number department
" maxsearches=500000
| where count > 2
Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-19-2025 11:36 PM
Can you explain what you try to do in English not with SPL?
0 Karma
Reply

jiaminyun
Path Finder
‎01-19-2025 11:44 PM

Thank you for your reply. The core requirement I want to achieve is to enable the same user or department to access the same account multiple times within 7 consecutive days, with each visit counted as 1 time per day. Finally, filter out those that have been visited for more than 2 days. For example, the first query started on January 1, 2019 at 00:00:00 and ended on January 8 at 00:00:00, the second query started on January 2, 2019 at 00:00:00 and ended on January 9 at 00:00:00, and so on to achieve this requirement. The SPL submitted above is based on the core calculation in the map. The earliest time calculated in the map is based on a 7-day logic to generate periodic data.

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...