Splunk Search

How to identify seasonal event log messages? (every weekend, every month, every day at a certain time, etc.)

RocIngersol
Explorer

I’ve got a stream of event logs (log4j variation - timestamp host class msg summary etc) coming in – I want to identify what event log messages have an element of seasonal regularity (i.e. every weekend, every month, every day at a certain time etc). I know there are some already through manual exploration, but would love to be able to search / report on what events have a form of seasonality.

Looking at x11 or predict, they seem to be for time series data, and not event log msgs as such..

0 Karma

DarthDMader
Explorer

Hi,
I would concentrate my search for the date_* fields also stats and eval functions.
Without example data I can't figure out all possibilities.
Kind Regards
Darth

0 Karma

RocIngersol
Explorer

Ok Darth - good call...so I've down this (with sample data)

alt text

So now I can find the events (catergoryId) that have some form of seasonally or regular frequency..

0 Karma

RocIngersol
Explorer

Not an answer - but more of my own thought on how to achieve this using cluster.

Can I list all the events group in a cluster and the work out the time between each event in the cluster? Doing that would give me a way of seeing a pattern if there is an element of seasonally of each event.. i.e. every hour or every x days etc...

0 Karma

RocIngersol
Explorer

OK.. so I can table out all the events on a per cluster basis with

search 'n' cluster | table _time, cluster_count, cluster label

BUT how could I work out the time between each event in each cluster? Some sort of foreach?

thx!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.