- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to fetch events based on below condition
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to fetch events based on below condition
Hi,
We have a requirement where client wants to see only events which satisfied the below condition.
Any events which opened for more than 30 mins OR >4 events in last one hour(doesn't matter whether its open or closed).
- Suraj
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
we are trying the below query.
index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing " NOT (zmondyn*) earliest=-20d | dedup dtIncidentName dtIncidentMessage dtIncidentServerName | table _time dtIncidentName dtIncidentMessage dtIncidentServerName dtIncidentIsClosed | search dtIncidentIsClosed!="True" | eval diff_mins=(now()-_time)/60 | table _time diff_mins | where diff_mins>30 | stats count as diff30mins | append [ search index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing" earliest=-1h| stats count as countforanhour ] | stats values(*) as * | eval alertme=if(countforanhour>10 OR diff30mins>1,1,0) | search alertme=1
I can see the alerts(alertme =1) if 4 events triggered within one hour but seems the second condition(alertme if diff_mins>30) is not working properly.
Can you please confirm if both condition try to evaluate events from the raw data or one over the other condition?
-Suraj
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its' much easier for us to help you if you provide more information such as what's your current search/base search, which fields are primary key/grouping fields etc?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We are trying the below query.
index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing " NOT (zmondyn*) earliest=-20d | dedup dtIncidentName dtIncidentMessage dtIncidentServerName | table _time dtIncidentName dtIncidentMessage dtIncidentServerName dtIncidentIsClosed | search dtIncidentIsClosed!="True" | eval diff_mins=(now()-_time)/60 | table _time diff_mins | where diff_mins>30 | stats count as diff30mins | append [ search index=dynatrace sourcetype=alert dtIncidentName="Heap Usage - Splunk Condition Testing" earliest=-1h| stats count as countforanhour ] | stats values(*) as * | eval alertme=if(countforanhour>10 OR diff30mins>1,1,0) | search alertme=1
This query works fine for the first condition(if we get 4 alert within 1 hour then alertme=1) but seems not working properly for second condition( alertme if the events open for more than 30 mins).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @surajgupta,
I'm assuming you're talking about a ticketing system where Splunk logs "open" events and "closed" events. If that's the case you'll want to use the transaction command to find the "tickets open longer than 30 minutes" and probably write a separate search for more than 4 events per ticket and use the append command to join them together.
Your search will probably look something like this, but I would need to know more about your logs to give you an exact search:
index=your_index sourcetype=your_sourcetype
| transaction ticket_number startswith=eval(status="open") endswith=eval(status="closed")
| where duration > 1800
| append [
search index=your_index sourcetype=your_sourcetype
| bucket span=1h _time
| stats values(_raw) count by ticket_number, _time
| where count > 4 ]
Hope this helps!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
