Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I filter values with at least one zero in time?

Shark2112
Communicator
‎10-04-2018 12:53 AM

Hello!

I want to find local IPs that communicate with outside IPs every 5 minutes, for example:

                                      192.168.1.11       192.168.1.12       192.168.1.13

8.8.8.8 10:00:00 1 3 0
9.9.9.9 10:00:00 2 0 4

8.8.8.8 10:05:00 1 3 1
9.9.9.9 10:05:00 2 1 4

8.8.8.8 10:10:00 1 3 1
9.9.9.9 10:10:00 2 1 0

so i want to find:
192.168.1.11 to 8.8.8.8
192.168.1.11 to 9.9.9.9
192.168.1.12 to 8.8.8.8

i tried 

| bucket span=10min _time
| stats count by int_ip ext_ip

but can't understand how to filter it

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Shark2112
Communicator
‎10-04-2018 02:29 AM

done it with
|search ...... (earliest 4h)
| bucket span=10min _time
| stats count by _time int_ip ext_ip
| stats count by int_ip ext_ip
| where count=24
24 because in 4 hours 24 times of 10 minutes

View solution in original post

Reply
Solved! Jump to solution
Solution

Shark2112
Communicator
‎10-04-2018 02:29 AM

done it with
|search ...... (earliest 4h)
| bucket span=10min _time
| stats count by _time int_ip ext_ip
| stats count by int_ip ext_ip
| where count=24
24 because in 4 hours 24 times of 10 minutes

Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...