- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to flag events based on specific time ranges?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to flag events in specific time ranges, e.g. all events between 01.08.2014 14:00:00 and 01.08.2014 15:00:00.
My current approach is to use the case command, but this seems to be very uncomfortable:
| eval flag=case(_time>=strptime("01.08.2014 14:00:00", "%d.%m.%Y %H:%M:%S") AND _time<=strptime("01.08.2014 15:00:00", "%d.%m.%Y %H:%M:%S") , "flag1",
_time>=strptime("03.03.2014 22:00:00", "%d.%m.%Y %H:%M:%S") AND _time<=strptime("03.03.2014 23:00:00", "%d.%m.%Y %H:%M:%S"), "flag2",
_time>=strptime("05.04.2014 01:00:00", "%d.%m.%Y %H:%M:%S") AND _time<=strptime("05.04.2014 05:00:00", "%d.%m.%Y %H:%M:%S"), "flag3")
Is there a better way to achieve my goal, perhaps by using a lookup?
BR
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @HeinzWaescher
A former intern at Splunk developed this Annotate app that could be useful for your case. It might be worth checking out as a possible solution. http://apps.splunk.com/app/1831/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @HeinzWaescher
A former intern at Splunk developed this Annotate app that could be useful for your case. It might be worth checking out as a possible solution. http://apps.splunk.com/app/1831/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem @HeinzWaescher. Let us know how it works out for you 🙂
Patrick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
it seems to be a possible solution. I will have a closer look at it. Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi HeinzWaescher,
I think you should use a lookup to do this. In your lookup file, you set the time range and the flag which should be set for this time range. If this works, setup an automatic lookup and you're flags will be set automatically.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think so too. Thanks for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmm, looks like the lookup approach is not the best choice...there are multiple un-answered questions related to this topic:
http://answers.splunk.com/answers/99023/time-base-lookup-with-offset-stored-in-lookup-table
http://answers.splunk.com/answers/56672/configure-a-time-based-lookup-for-more-than-one-field
sorry ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MuS,
my problem is, that I don't know how to define the timeranges in a lookup file. Do I have to "bucket _time span=1h" and set the timerange in the lookup in hours? But then it would be a problem to flag timeranges like 01.08.2014 14:30:00 - 01.08.2014 15:30:00.
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
