Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i calculate the minimum time per source(log file) and then get the logs with a time difference of more than 6 minutes?

aamer86
Path Finder
‎12-29-2018 11:04 AM

I have a WAF log source where logs are written to CEF files.

I need a search that calculates the minimum time per log file and then compares the logs within each logs file to this minimum and gets logs that have more than a 6 minutes delay.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-30-2018 07:31 PM

@aamer86,
Assuming you have multiple log files (source) and you want the delay for each of these files.

Try this

index="your index" source="all CEF files"|eventstats earliest(_time) as mintime by source|eval diff=round((_time-mintime)/60,2)
|where diff >=6|stats count by source
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-30-2018 07:31 PM

@aamer86,
Assuming you have multiple log files (source) and you want the delay for each of these files.

Try this

index="your index" source="all CEF files"|eventstats earliest(_time) as mintime by source|eval diff=round((_time-mintime)/60,2)
|where diff >=6|stats count by source
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎12-31-2018 01:33 AM

thanks that worked

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-29-2018 09:21 PM

@aamer86,
What do you mean by minimum time? Is it the first entry from that source for the day ? Or is it the last time the file was updated? And how do you want the delay to be calculated - time difference between event and indexed time ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎12-30-2018 10:56 AM

yes I need to calculate the time range of logs within a single CEF log file so i want to get the first timestamp (minimum time) and then compare the time of each logs within this file with the minimum time for example

first log written to the file at 12pm
next log written at 12:02
.
.
.
last log written to the file 12:30

I need to get a count of logs that has more than 6 minutes difference to the first log entry

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top