Splunk Search
Highlighted

How to edit my search to only return results that exceed a certain count within a time window?

Path Finder

I would like to issue the following search, but only get results that exceed a count within a time window. I see how to set an alert to do this, but I just want to search my current stored events. How do I do this in a search?

user=* action=* | stats count by user, action
0 Karma
Highlighted

Re: How to edit my search to only return results that exceed a certain count within a time window?

SplunkTrust
SplunkTrust

Did you try adding a where clause in the end to compare count with your threshold?

Like
your current search ...| where count > yourthreshould

0 Karma
Highlighted

Re: How to edit my search to only return results that exceed a certain count within a time window?

Path Finder

Thanks. Is there a way to do this for count over a moving time window for stored events? Right now the count is the total over the interval defined by the time range picker. In other words, is there a way to count events by user that exceed a threshold within a moving 5 minute time window over my event history?

0 Karma
Highlighted

Re: How to edit my search to only return results that exceed a certain count within a time window?

SplunkTrust
SplunkTrust

You can use a subsearch to get the value of yourthreshold to be used. In you subsearch, write your search to get threshold for move 5 min window.

your current search ...| where count > [ search your search to get  get threshold for move 5 min window | return $yourthreshold ]
0 Karma
Highlighted

Re: How to edit my search to only return results that exceed a certain count within a time window?

Path Finder

your current search ...| where count > [ search your search to get get threshold for move 5 min window | return $yourthreshold ]

This looks like what I want but not sure of the syntax. I am fine with a fixed thresshold. How do I search for a count of events in a moving 5 minute window that have the string "failed", and output the count when it exceeds a fixed thresshold?

0 Karma