Solved: How can I search for an event that occurred within...

NimrodSky · ‎09-16-2015

Hi,

I need to run a search on an event that will return the occasions where this event happened within 5 minutes of the last time it happened.

Would appreciate any pointers to getting this done.

Thanks

Nimrod

woodcock · ‎09-16-2015

Like this:

... | reverse | streamstats current=f last(_time) AS prevTime | eval span=_time - prevTime | where span < 300

View solution in original post

woodcock · ‎09-16-2015

Like this:

... | reverse | streamstats current=f last(_time) AS prevTime | eval span=_time - prevTime | where span < 300

NimrodSky · ‎09-17-2015

A follow up question - I want to show the previous event as well, so I'll see the two events one after the other

How do I manage this?

Thanks

woodcock · ‎09-17-2015

Either like this:

... | reverse | streamstats current=f last(_time) AS prevTime  last(_raw) AS preEvent | eval span = _time - prevTime | where span < 300

Or like ths:

... | streamstats current=f last(_time) AS nextTime | reverse | streamstats current=f last(_time) AS prevTime | eval forespan = nextTime - _time | eval backspan= _time - prevTime | where backspan < 300 OR forespan < 300

NimrodSky · ‎09-16-2015

Thanks, that's what I was looking for !

How can I search for an event that occurred within five minutes from the last time it happened?

Buttercup Games: Further Dashboarding Techniques (Part 7)

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Mastering Data Pipelines: Unlocking Value with Splunk