Splunk Search

How to FILTER same events whit two or more fields in a time interval?

DG3bran
Explorer

Hello team !! 

Im working whit CDR of SMS and I have to find a way to visualize that two fields are repeated more than 10 times in a minute

Could you help me find a way to do it?

This is a part of my CDR 

14:00:06.495844|2022-09-13 14:00:06.495847|2022-09-13 14:00:06|MT|3385251555|56271948588

origin:3385251555

dest:56271948588

I want to see when it repeats the same origin and the same destination more than 10 times in 1 minute

Thank you very much for your help and time

 

Labels (3)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Use streamstats or stats, e.g. with stats you can use

 

search...
| bin _time span=1m
| stats count by _time origin dest
| where count>10

 

which will do 1 minute boundary counting, so if you get 9 occurrences between 9:00:45 and 9:00:52 and then another 5 at 9:01:02 it will not find this. To find these examples, use streamstats, e.g.

 

| streamstats time_window=1m count by origin dest
| where count>10
| bin _time span=1m
| stats max(count) as max by _time origin dest

 

Note these examples assume origin and dest are fields in your data, but hopefully this will give you something to go with

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Use streamstats or stats, e.g. with stats you can use

 

search...
| bin _time span=1m
| stats count by _time origin dest
| where count>10

 

which will do 1 minute boundary counting, so if you get 9 occurrences between 9:00:45 and 9:00:52 and then another 5 at 9:01:02 it will not find this. To find these examples, use streamstats, e.g.

 

| streamstats time_window=1m count by origin dest
| where count>10
| bin _time span=1m
| stats max(count) as max by _time origin dest

 

Note these examples assume origin and dest are fields in your data, but hopefully this will give you something to go with

DG3bran
Explorer

Thanks very much for you help .  I´ll check 

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...