Splunk Search

How to identify seasonal event log messages? (every weekend, every month, every day at a certain time, etc.)

Explorer

I’ve got a stream of event logs (log4j variation - timestamp host class msg summary etc) coming in – I want to identify what event log messages have an element of seasonal regularity (i.e. every weekend, every month, every day at a certain time etc). I know there are some already through manual exploration, but would love to be able to search / report on what events have a form of seasonality.

Looking at x11 or predict, they seem to be for time series data, and not event log msgs as such..

0 Karma

Explorer

Hi,
I would concentrate my search for the date_* fields also stats and eval functions.
Without example data I can't figure out all possibilities.
Kind Regards
Darth

0 Karma

Explorer

Ok Darth - good call...so I've down this (with sample data)

alt text

So now I can find the events (catergoryId) that have some form of seasonally or regular frequency..

0 Karma

Explorer

Not an answer - but more of my own thought on how to achieve this using cluster.

Can I list all the events group in a cluster and the work out the time between each event in the cluster? Doing that would give me a way of seeing a pattern if there is an element of seasonally of each event.. i.e. every hour or every x days etc...

0 Karma

Explorer

OK.. so I can table out all the events on a per cluster basis with

search 'n' cluster | table time, clustercount, cluster label

BUT how could I work out the time between each event in each cluster? Some sort of foreach?

thx!

0 Karma