Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to identify seasonal event log messages? (every weekend, every month, every day at a certain time, etc.)

RocIngersol
Explorer
‎10-26-2016 02:01 PM

I’ve got a stream of event logs (log4j variation - timestamp host class msg summary etc) coming in – I want to identify what event log messages have an element of seasonal regularity (i.e. every weekend, every month, every day at a certain time etc). I know there are some already through manual exploration, but would love to be able to search / report on what events have a form of seasonality.

Looking at x11 or predict, they seem to be for time series data, and not event log msgs as such..

0 Karma
Reply

DarthDMader
Explorer
‎11-10-2016 12:53 PM

Hi,
I would concentrate my search for the date_* fields also stats and eval functions.
Without example data I can't figure out all possibilities.
Kind Regards
Darth

0 Karma
Reply

RocIngersol
Explorer
‎11-10-2016 02:39 PM

Ok Darth - good call...so I've down this (with sample data)

alt text

So now I can find the events (catergoryId) that have some form of seasonally or regular frequency..

Preview file
396 KB
0 Karma
Reply

RocIngersol
Explorer
‎11-09-2016 01:46 PM

Not an answer - but more of my own thought on how to achieve this using cluster.

Can I list all the events group in a cluster and the work out the time between each event in the cluster? Doing that would give me a way of seeing a pattern if there is an element of seasonally of each event.. i.e. every hour or every x days etc...

0 Karma
Reply

RocIngersol
Explorer
‎11-10-2016 06:40 AM

OK.. so I can table out all the events on a per cluster basis with

search 'n' cluster | table _time, cluster_count, cluster label

BUT how could I work out the time between each event in each cluster? Some sort of foreach?

thx!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...