How to identify seasonal event log messages? (ever...

RocIngersol · ‎10-26-2016

I’ve got a stream of event logs (log4j variation - timestamp host class msg summary etc) coming in – I want to identify what event log messages have an element of seasonal regularity (i.e. every weekend, every month, every day at a certain time etc). I know there are some already through manual exploration, but would love to be able to search / report on what events have a form of seasonality.

Looking at x11 or predict, they seem to be for time series data, and not event log msgs as such..

DarthDMader · ‎11-10-2016

Hi,
I would concentrate my search for the date_* fields also stats and eval functions.
Without example data I can't figure out all possibilities.
Kind Regards
Darth

RocIngersol · ‎11-10-2016

Ok Darth - good call...so I've down this (with sample data)

alt text

So now I can find the events (catergoryId) that have some form of seasonally or regular frequency..

RocIngersol · ‎11-09-2016

Not an answer - but more of my own thought on how to achieve this using cluster.

Can I list all the events group in a cluster and the work out the time between each event in the cluster? Doing that would give me a way of seeing a pattern if there is an element of seasonally of each event.. i.e. every hour or every x days etc...

RocIngersol · ‎11-10-2016

OK.. so I can table out all the events on a per cluster basis with

search 'n' cluster | table _time, cluster_count, cluster label

BUT how could I work out the time between each event in each cluster? Some sort of foreach?

thx!

How to identify seasonal event log messages? (every weekend, every month, every day at a certain time, etc.)

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)