Splunk Search

Can you help me with a query using the streamstats command?

zacksoft
Contributor

Here is how events are,

2018-12-20T13:38:07.938-0500: 28658.929: [**Dull BC** (Allocation Failure) 
2018-12-20T13:38:12.764-0500: 28663.756: [SoftReference, 410050 refs, 0.1673385 secs
2018-12-20T13:38:12.932-0500: 28663.923: [WeakReference, 117939 refs, 0.0132928 secs]
2018-12-20T13:38:12.945-0500: 28663.936: [FinalReference, 476 refs, 0.0002134 secs]
2018-12-20T13:38:12.945-0500: 28663.937: [PhantomReference, 658 refs, 789 refs, 0.0002301 secs]
2018-12-20T13:38:12.945-0500: 28663.937: [JNI Weak Reference, 0.0005271 secs]
 17G->7032M(18G), **16.4882875** secs]

I am hoping streamstats would be able to help me with the following requirement,

If splunk search encounters the keyword 'Dull BC', then the control should jump to the next 5th event/sentence/line and fetch the value '16.2882857' for me.

0 Karma
1 Solution

whrg
Motivator

Hello @zacksoft,

You could use the streamstats command like this:

your base search
| streamstats count reset_after="("like(_raw,\"%Dull BC%\")")"
| search count=5

However, you will notice a minor glitch with this command: If the the first couple of lines do not contain "Dull BC" then the fifth line will have a count of 5 regardless.

Perhaps you could also use the transaction command:

your base search | sort -_time
| transaction startswith="**Dull BC**" endswith="JNI Weak Reference" maxevents=6

View solution in original post

whrg
Motivator

Hello @zacksoft,

You could use the streamstats command like this:

your base search
| streamstats count reset_after="("like(_raw,\"%Dull BC%\")")"
| search count=5

However, you will notice a minor glitch with this command: If the the first couple of lines do not contain "Dull BC" then the fifth line will have a count of 5 regardless.

Perhaps you could also use the transaction command:

your base search | sort -_time
| transaction startswith="**Dull BC**" endswith="JNI Weak Reference" maxevents=6

zacksoft
Contributor

Thank you.
The transaction command does the job, but I see anomaly.
sometimes maxevents = 6 shows the lines but mazevents = 9 doesn't.
It's strange..

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...