Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to I specify a *minimum* time between events?

Tisiphone
Engager
‎02-18-2010 09:04 PM

There are plenty of ways to specify the exact time range or maximum range between two events in a search. But I need to specify a minimum.

My search is: index=antivirus INFECTION dedup 1 infection host | top host limit="10"

It correctly finds my top 10 infected hosts by distinct viral infection and host. However, I want to make sure there is over X amount of time between each event, because I want to catch Bob the Bittorrenter who gets a new infection every week, and not Sue the Surfer who downloads one bad file and gets 8 infections in less than minute.

I've tried building a timechart, "transaction infection,host maxspan=X", and specifying a bucket on _time, but everything seems to give me the opposite of what I need.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-19-2010 06:14 AM

I'm not sure why | transaction infection,host maxspan=X | top host doesn't work for you. Perhaps | transaction infection,host maxpause=X | top host works better (though similarly, but both of those will group together infections into a single event if they are close enough, leaving you with blocks of infections separated by the time range.

Possibly you are interpreting the results backwards, but since transaction groups together things that are closer than your max ranges (whether the overall range or the time between infections), you don't look inside the transaction, you look at each separate transaction and count those.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-19-2010 06:14 AM

I'm not sure why | transaction infection,host maxspan=X | top host doesn't work for you. Perhaps | transaction infection,host maxpause=X | top host works better (though similarly, but both of those will group together infections into a single event if they are close enough, leaving you with blocks of infections separated by the time range.

Possibly you are interpreting the results backwards, but since transaction groups together things that are closer than your max ranges (whether the overall range or the time between infections), you don't look inside the transaction, you look at each separate transaction and count those.

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...