Splunk Search

How to edit my search to find all source_value_id fields where the d value is less than zero?

msehic
Explorer

When running this command: "low_seq=" "source_session_id" "-1177" | stats by _time,source_session_id,low_seq | delta low_seq as d | where d<0 | table _time, source_session_id, low_seq, d I get what I want for one source_session_id:

_time         source_session_id    low_seq  d
1:00:01 PM   -1177                 0          -4584

However, I have multiple source_session_id, so without "-1177", the search does not work: "low_seq=" "source_session_id" | stats by _time,source_session_id,low_seq | delta low_seq as d |table _time, source_session_id, low_seq, d.

How do I make it work so it finds all source_session_id where d<0?

I tried this: "low_seq=" "source_session_id" | stats values(low_seq) by source_session_id. it groups nicely for all source_session_id but I could not make it work with delta with stats(values) to get d<0,

Thank you.

0 Karma
1 Solution

msehic
Explorer

got it.

|  table _time, source_session_id, low_seq | sort 0 source_session_id | sort 0 _time | delta low_seq as d | delta source_session_id as s | where d <0 and s=0

View solution in original post

0 Karma

msehic
Explorer

got it.

|  table _time, source_session_id, low_seq | sort 0 source_session_id | sort 0 _time | delta low_seq as d | delta source_session_id as s | where d <0 and s=0
0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...