Splunk Search

How can I set a 5-minute +/- range for a list of timestamps without doing each search manually?

samlinsongguo
Communicator

Hi Guys

I have a list of timestamp that some events happened, I want to search in each time is there any related event happen within 5 mins. for example the timestamp is 08/21/2017 :15:35:22 so the search time range will be between 08/21/2017 :15:30:22 and 08/21/2017 :15:35:22. I know we can do following query

index=main earliest="08/21/2017:16:30:00" latest="08/21/2017:16:35:00"

but since it is a list of timestamp I am going to against, I want to do something like earliest=-5m but this is relevant to now() rather than my specific time ("08/21/2017:16:00:00") what is the syntax for set the time to against my given time.

Thanks advanced
Regards
Sam

0 Karma

DalJeanis
Legend

There are a number of ways to do this, and the selection of which to use is very context-dependent and data-dependent.


One relevant command is map. Map generates a patterned search for each record that comes in. This is good for small numbers of events - you do NOT want to use map for 1000 events, as it will be very inefficient.

Let's suppose that you have your target events in a csv called mytimes.csv in a field called eventtime, stored in epoch format, and a field called eventid that allows you to map back to whatever you are looking for.

  | inputcsv mytimes.csv 
  | eval myearliest=strftime(eventtime-300,"%m/%d/%Y:$H:$M:$S")
  | eval mylatest=strftime(eventtime-300,"%m/%d/%Y:$H:$M:$S")
  | map search="earliest=\"$myearliest$\" latest=\"mylatest\" ...the rest of the search to get the record ... | eval eventid=$eventid$ | ... more search language ... " 

Now, if you have a LOT more events, then there are a few other ways. Here's one of them...

 your search language here 
     [| inputcsv mytimes.csv 
      | stats min(eventtime) as earliest max(eventtime) as latest 
      | eval earliest=strftime(earliest-300,"%m/%d/%Y:$H:$M:$S")
      | eval latest=strftime(latest,"%m/%d/%Y:$H:$M:$S")
      ]
  | rename COMMENT as "the above pulls events from 5 minutes before the first target event until after the last target event" 

  | rename COMMENT as "now we add in our target events themselves." 
  | append 
     [| inputcsv mytimes.csv | eval _time = eventtime-300 | table _time eventtime eventid]

  | rename COMMENT as "We sort the events in ascending order, and copy the eventtimes and eventids forward for up to five minutes." 
  | sort 0 _time
  | streamstats last(eventtime) as eventtime list(eventid) as eventid timewindow=5m

  | rename COMMENT as "now each of the new events is marked with the eventids of any target event that it might be relevant to."
  | rename COMMENT as "kill all unmarked records and then go on with your analysis"
  | where isnotnull(eventid)   

samlinsongguo
Communicator

That is really helpfully, Thank you so much
Sam

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...