Splunk Search

How to fetch events based on below condition

surajgupta
New Member

Hi,

We have a requirement where client wants to see only events which satisfied the below condition.

Any events which opened for more than 30 mins OR >4 events in last one hour(doesn't matter whether its open or closed).

  • Suraj
0 Karma

surajgupta
New Member

Hi,

we are trying the below query.

index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing " NOT (zmondyn*) earliest=-20d | dedup dtIncidentName dtIncidentMessage dtIncidentServerName | table _time dtIncidentName dtIncidentMessage dtIncidentServerName dtIncidentIsClosed | search dtIncidentIsClosed!="True" | eval diff_mins=(now()-_time)/60 | table _time diff_mins | where diff_mins>30 | stats count as diff30mins | append [ search index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing" earliest=-1h| stats count as countforanhour ] | stats values(*) as * | eval alertme=if(countforanhour>10 OR diff30mins>1,1,0) | search alertme=1

I can see the alerts(alertme =1) if 4 events triggered within one hour but seems the second condition(alertme if diff_mins>30) is not working properly.
Can you please confirm if both condition try to evaluate events from the raw data or one over the other condition?

-Suraj

0 Karma

somesoni2
Revered Legend

Its' much easier for us to help you if you provide more information such as what's your current search/base search, which fields are primary key/grouping fields etc?

0 Karma

surajgupta
New Member

Hi,

We are trying the below query.

index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing " NOT (zmondyn*) earliest=-20d | dedup dtIncidentName dtIncidentMessage dtIncidentServerName | table _time dtIncidentName dtIncidentMessage dtIncidentServerName dtIncidentIsClosed | search dtIncidentIsClosed!="True" | eval diff_mins=(now()-_time)/60 | table _time diff_mins | where diff_mins>30 | stats count as diff30mins | append [ search index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing" earliest=-1h| stats count as countforanhour ] | stats values(*) as * | eval alertme=if(countforanhour>10 OR diff30mins>1,1,0) | search alertme=1

This query works fine for the first condition(if we get 4 alert within 1 hour then alertme=1) but seems not working properly for second condition( alertme if the events open for more than 30 mins).

0 Karma

pappjr
Path Finder

Hi @surajgupta,

I'm assuming you're talking about a ticketing system where Splunk logs "open" events and "closed" events. If that's the case you'll want to use the transaction command to find the "tickets open longer than 30 minutes" and probably write a separate search for more than 4 events per ticket and use the append command to join them together.

Your search will probably look something like this, but I would need to know more about your logs to give you an exact search:

index=your_index sourcetype=your_sourcetype
| transaction ticket_number startswith=eval(status="open") endswith=eval(status="closed")
| where duration > 1800
| append [
search index=your_index sourcetype=your_sourcetype
| bucket span=1h _time
| stats values(_raw) count by ticket_number, _time
| where count > 4 ]

Hope this helps!

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...

Splunk Smartness with Patrick Tatro | Episode 4

Welcome to another episode of "Splunk Smartness," where we explore how Splunk Education can revolutionize your ...