Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group together events based on their relative distance in _time?

thisissplunk
Builder
‎06-06-2014 11:21 AM

Hello All,

I'm trying to figure out how to group certain events together if they happen within 1 second of each other's relative _time (they happened <= one second from each other).

Current search as an example example:

sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03"  | stats  values(login_server) count(login_server) AS UniqueEventCount dc(login_server) AS UniqueServerCount by HostName, User | sort -UniqueServerCount | where UniqueServerCount > 1

What the above answers is: "Show me the events where a host and user name logs into two or more different login servers". What I need to add is that I only want to show events that log into two or more login servers within 1 second of each other.

Bucket does not do this as two events can fall within 1 second of each other, but not fall into the same one second buckets markers.

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfreitas
Builder
‎06-07-2014 05:23 AM

Hi thisissplunk,

Maybe you can use the "transaction" command. Using a "| transaction login_server maxspan=1s". This way you will group all the events with the login_server that are equal withing 1 second max difference between events.

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

gfreitas
Builder
‎06-07-2014 05:23 AM

Hi thisissplunk,

Maybe you can use the "transaction" command. Using a "| transaction login_server maxspan=1s". This way you will group all the events with the login_server that are equal withing 1 second max difference between events.

Hope this helps!

Reply
Solved! Jump to solution

thisissplunk
Builder
‎06-13-2014 12:57 PM

The transaction command did it. Though I will say it adds a LOT of overhead and makes some of our searches impossible over more than a few minutes. It does however do the same as the above initial search AND ensures they all happened within 1 second of each other.

I can now say "Someone logged into 3 different servers within one second, and here is your single alert showing you so".

sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03" | transaction fields="HostName" maxspan=1s | eval UniqueServers=mvcount(login_server) | where UniqueServers > 1

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...