Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group together events based on their relative distance in _time?

thisissplunk
Builder
‎06-06-2014 11:21 AM

Hello All,

I'm trying to figure out how to group certain events together if they happen within 1 second of each other's relative _time (they happened <= one second from each other).

Current search as an example example:

sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03"  | stats  values(login_server) count(login_server) AS UniqueEventCount dc(login_server) AS UniqueServerCount by HostName, User | sort -UniqueServerCount | where UniqueServerCount > 1

What the above answers is: "Show me the events where a host and user name logs into two or more different login servers". What I need to add is that I only want to show events that log into two or more login servers within 1 second of each other.

Bucket does not do this as two events can fall within 1 second of each other, but not fall into the same one second buckets markers.

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfreitas
Builder
‎06-07-2014 05:23 AM

Hi thisissplunk,

Maybe you can use the "transaction" command. Using a "| transaction login_server maxspan=1s". This way you will group all the events with the login_server that are equal withing 1 second max difference between events.

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

gfreitas
Builder
‎06-07-2014 05:23 AM

Hi thisissplunk,

Maybe you can use the "transaction" command. Using a "| transaction login_server maxspan=1s". This way you will group all the events with the login_server that are equal withing 1 second max difference between events.

Hope this helps!

Reply
Solved! Jump to solution

thisissplunk
Builder
‎06-13-2014 12:57 PM

The transaction command did it. Though I will say it adds a LOT of overhead and makes some of our searches impossible over more than a few minutes. It does however do the same as the above initial search AND ensures they all happened within 1 second of each other.

I can now say "Someone logged into 3 different servers within one second, and here is your single alert showing you so".

sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03" | transaction fields="HostName" maxspan=1s | eval UniqueServers=mvcount(login_server) | where UniqueServers > 1

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...