Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

snapshot of 2 timeframes for the same query to look for consecutive....

Raj_Splunk_Ing
Explorer
‎10-29-2024 09:09 AM

Hi All, Thanks for your time,
I have a query for getting the number of errors for each client/customer, api_name,time etc

index=index_api

| stats count by customer,api_name, _time

 

If i have the dataset like below - how do i take the snapshot of it and compare in the next 30 minute dataset

Client/customer   api_name            _time                                   count

Abc                            Validation_V2   2024 oct 29 10.30             10

Xyz                             Testing_V2         2024 oct 29 10.30             15

TestCust                   Testing_V3         2024 oct 29 10.30            20

 

assuming these are for the last 30 mins...  when i get to the next run say after 30 mins 

i want to see if the same dataset is repeated so that i can get the consecutive error count

any guidance or helpful suggestions.... 

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-30-2024 01:39 PM

1. What do you mean by "capture dataset"?

2. If you just do stats by _time without binning the _time first, you'll get a lot of results which will be uncomparable with anything.

0 Karma
Reply

Raj_Splunk_Ing
Explorer
‎10-31-2024 07:37 AM

Hi PickleRick, Thanks for looking into this..

Say i have this dataset with errors for a particular client, api ... i need to look for the  error that is consecutive meaning it is repeating - say we are looking at the last 15 minutes

Client/customer   api_name            _time                                   error count

Abc                            Validation_V2   2024 oct 29 10.30             10

Xyz                             Testing_V2         2024 oct 29 10.30             15

TestCust                   Testing_V3         2024 oct 29 10.30            20

 

 

0 Karma
Reply

Raj_Splunk_Ing
Explorer
‎10-31-2024 08:08 AM

Hi , Say the numbers are for every 15 minute timeframe - i want to see for the same on the next 15 minutes run and see if they are consecutive meaning the error repeated again

 

sorry if i did not explain properly.. please let me know i can prepare a sample dataset

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2024 01:55 PM

Ok, use

| bin _time span=15m

To split your data into 15-minute buckets. Then count your data by _time and all those other fields.

0 Karma
Reply

Raj_Splunk_Ing
Explorer
‎10-30-2024 07:36 AM

any suggestions please... i need to capture 2 datasets and see if there is anything that is repeating

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...