Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i calculate the minimum time per source(log file) and then get the logs with a time difference of more than 6 minutes?

aamer86
Path Finder
‎12-29-2018 11:04 AM

I have a WAF log source where logs are written to CEF files.

I need a search that calculates the minimum time per log file and then compares the logs within each logs file to this minimum and gets logs that have more than a 6 minutes delay.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-30-2018 07:31 PM

@aamer86,
Assuming you have multiple log files (source) and you want the delay for each of these files.

Try this

index="your index" source="all CEF files"|eventstats earliest(_time) as mintime by source|eval diff=round((_time-mintime)/60,2)
|where diff >=6|stats count by source
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-30-2018 07:31 PM

@aamer86,
Assuming you have multiple log files (source) and you want the delay for each of these files.

Try this

index="your index" source="all CEF files"|eventstats earliest(_time) as mintime by source|eval diff=round((_time-mintime)/60,2)
|where diff >=6|stats count by source
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎12-31-2018 01:33 AM

thanks that worked

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-29-2018 09:21 PM

@aamer86,
What do you mean by minimum time? Is it the first entry from that source for the day ? Or is it the last time the file was updated? And how do you want the delay to be calculated - time difference between event and indexed time ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎12-30-2018 10:56 AM

yes I need to calculate the time range of logs within a single CEF log file so i want to get the first timestamp (minimum time) and then compare the time of each logs within this file with the minimum time for example

first log written to the file at 12pm
next log written at 12:02
.
.
.
last log written to the file 12:30

I need to get a count of logs that has more than 6 minutes difference to the first log entry

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...