Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Changing a real-time search to date range sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all. I have been working on a query to alert us to when a date changes for a specific item, the item is represented in my query as GroupId. Dates can change any number of times, and I want to receive an alert whenever they do.
I have come up with the following real-time search. I am concerned about it only having the data available from when the search starts.
index=daluat PublishedGtpRule GroupId | dedup 100 GroupId sortby -_time | stats first(Date) As CurrentDate list(Date) As PreviousDates dc(Date) As Count by GroupId | where Count>1
I'll try my best to explain what I think would work best.
- Search for distinct GroupIds over a time period
- For each GroupId, search for the previous occurrence of it - all time
- Result if date has changed
Preferably I'd like to see what the new and previous dates are too.
This way my alerting doesn't have to be real-time. I can simply run it every minute, and look back over the last 2 or 3 minutes and allow the subsearch to go back through all time to find the last occurrence of a GroupId.
FYI the number of GroupIds per minute is a low number, 10 at most.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have solved my problem. If anyone has any cleaner suggestions I would be more than happy to hear from you. I hope this helps someone one day.
I run the following search on a schedule every 10 minutes with a time range from -1y to now.
index=daluat Published GroupId
| DEDUP 2 GroupId
| STATS DC(Date) AS dist_dates FIRST(Date) AS NewDate LAST(Date) AS OldDate LATEST(_time) AS latest_time BY GroupId
| EVAL relative_time_threshold=relative_time(now(),"-10m")
| WHERE latest_time>relative_time_threshold AND dist_dates>1
| CONVERT CTIME(latest_time)
| FIELDS GroupId NewDate OldDate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have solved my problem. If anyone has any cleaner suggestions I would be more than happy to hear from you. I hope this helps someone one day.
I run the following search on a schedule every 10 minutes with a time range from -1y to now.
index=daluat Published GroupId
| DEDUP 2 GroupId
| STATS DC(Date) AS dist_dates FIRST(Date) AS NewDate LAST(Date) AS OldDate LATEST(_time) AS latest_time BY GroupId
| EVAL relative_time_threshold=relative_time(now(),"-10m")
| WHERE latest_time>relative_time_threshold AND dist_dates>1
| CONVERT CTIME(latest_time)
| FIELDS GroupId NewDate OldDate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not real time anymore. It's running once every 10 minutes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if it is a realtime then shouldn't it be -1y to rt?
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Customer success is front and center at .conf25
