Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a search to find offline event that does not have a corresponding succeeding online event

dglass0215
Path Finder
‎11-08-2019 09:25 AM

Hello,

I have a sourcetype which has data telling me if something goes offline and then when it comes online.

I am trying to write a search that only shows the most recent offline event where a newer online event has not yet occurred.

Any help is appreciated!

0 Karma
Reply

woodcock
Esteemed Legend
‎11-16-2019 02:46 PM

Like this:

... | streamstats count(eval(action="online")) AS sessionID BY host and other fields here
| stats count dc(action) AS action_count values(action) AS actions BY sessionID hsot and other fields here
| where action_count == 1
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-09-2019 03:01 AM

Hi dglass0215,
a sample of yur data could be useful, but anyway you should select the conditions, e.g. having:

  • an index called my_index,
  • a username field called user,
  • an host name called host,
  • a field called status that contains different strings for offline and online ("go offline" and "go online");

you could run something like this, if it's relevant the duration of offline (e.g. online must come back at most in 5 minutes):

index=my_index (status="go offline" OR status="go online")
| transaction user host startswith="go offline" endswith="go online" keeporphans=true maxspan=300s
| search NOT status="go online"
| ...

But it's a slow search (transaction is a very slow command).

If instead it isn't relevant the time between offline and online, you could run something like this

index=my_index (status="go offline" OR status="go online")
| stats dc(status) AS count values(status) AS status BY user host
| where count=1

that's quicker.

Ciao.
Giuseppe

0 Karma
Reply

dglass0215
Path Finder
‎11-11-2019 09:48 AM

Thanks Giuseppe this is very helpful! I do realize a sample of my data would useful, it is just tough to do so since I am in a disconnected environment. Basically it is as simple as Host, TimeStamp, onlineStatus. I do not have a username field, nor do I (at least at this moment in time) care about the duration of offline. I just want to know if an offline has occurred without a corresponding online. Your second query above looks like it would almost do what I need! However couldn't that query wind up showing an online event depending on how the timeframe of the query was setup?

Thanks Again!

0 Karma
Reply

Sukisen1981
Champion
‎11-08-2019 10:52 PM

hi can you please provide some sample events and desired output?

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...