index="YouShouldAlwaysSpecifyYourIndex" AND sourcetype="AndYourSourcetypeToo" AND alertname!="*pdm*"
| streamstats time_window=2h count by alertname user
| where count>3
Hi,
To find events over the last two hours, use a search similar to the following:
index=foo alertname!="*pdm*" earliest_time=-2h latest_time=now
To find multiple occurrences of events by user in a rolling two hour window, schedule an hourly search similar to the following:
index=foo alertname!="*pdm*" earliest_time=-2h@h latest_time=@h
| eventstats count by alertname user
| where count>1
To increase the frequency of detection, change the schedule and snap the time values to the same interval. For example, to search a rolling 2 hour window every minute:
index=foo alertname!="*pdm*" earliest_time=-2h@m latest_time=@m
| eventstats count by alertname user
| where count>1
You may need to modify your scheduled search settings relative to indexing and scheduling lag in your environment or alternatively, loosen your earliest_time and latest_time predicates and use _index_earliest and _index_latest to constrain the event window. More information on time modifiers is available at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Searchtimemodifiers.
Is there a more complex problem you're trying to solve?
Hi,
My usecase is of in between 2 hours if users triggers an alert other than pdm more than 3 times !
If your alerts are triggered no more frequently than once per minute, the last example should work with an adjusted threshold:
index=foo alertname!="*pdm*" earliest_time=-2h@m latest_time=@m
| eventstats count by alertname user
| where count>3