Splunk Search

Back fill of data in timerange

smanojkumar
Contributor

Hello Splunkers,

I'm having a logs which will be generated only where there is change in system,

6:01:01 - System Stop
10:54:01 - System Start
13:09:04 - System Stop
16:01:01 - System Start
17:01:01 - System Stop

These are the logs.

Lets say If I'm searchit it in a chart, for the timerange from 7Am - 4Pm

the chart from 8Am until 10:54:01 Am is empty since the previous event was generated at 6:01:01, so there is a gap.

I would like to fix this. In some cases only 2 values is been repeated, so we can take the one in present, the past can be its opposite.

Eg -  At 10:54:01 - System Start, We have received this log, where the system is start, the previous one will be stop. 

These are fixed for some cased, I need two best solutions, only for this scenario, other for multiple values, like these

14:01:01 - System Started
17:54:01 - System reset
22:09:04 - System Stop
23:01:01 - System Started
01:01:01 - System Stop

wheres here I'm getting three values like Started, Stop and reset.


Thanks in Advance!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please clarify what you want Splunk to assume in the second case, for example, if the search was from 21:00, would you want Splunk to assume the previous state was "System reset" or "System Start"?

Do you want to search for a longer period of time to try and find the previous state, and then remove these results from the chart?

0 Karma

smanojkumar
Contributor

Hello @ITWhisperer ,

Thanks for your reply.

17:54:01 - System reset
22:09:04 - System Stop
23:01:01 - System Started
01:01:01 - System Stop

In case of from 21:00, I need to take as System reset and followed by other values.

Actually I just need to fill the value, even the logs weren't there in teh selcted timerange.

Thanks!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How does Splunk know what the previous state was unless it is included in the search?

For example, if the first state is "System Stop" and the system was reset 3 days, or 3 weeks, or 3 months ago, what do you want Splunk to report?

0 Karma

smanojkumar
Contributor

Hello @ITWhisperer ,

Thanks for asking!

You are right.., It will be like, the next event will be received within 3 days, it wont take more time at wrost cases.

I'm using those values in the chart, when we are searching with less time range, I can't see the logs of the timerange in that time range because of the gap in logs, 

I have listed two scenarious, As per the scenario1, The perevious value is just a opposite value of the next one. 

Scenario 2 is bit hard, having multiple values, which can be generated before 3 days at wrost cases.


Thansk!


0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For the first case, try something like this

| append
    [| makeresults
    | addinfo
    | rename info_min_time as _time
    | fields _time
    | eval state="System unknown"]
| sort 0 - _time
| streamstats last(state) as previousState window=1 current=f
| eval state=if(state!="System unknown",state,if(previousState=="System Stop", "System Start", "System Stop"))
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @smanojkumar 

I may have misunderstood, but If you want the search to include the event at 6AM then you will need to change the earliest time within the search to cover this event. 

Feel free to share a screenshot example of what you are seeing to help explain the difference to your expectation/intention.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...