Hello,
Does anybody know how to write a search that find events occur at least one per day and these events count as one and these counts must occur 5 or more times per week.
See http://imageshack.us/photo/my-images/854/5per7.jpg/
Best Regards,
C4r7m4n
Hi @jt_splunk
Thank you for your respond.
I don't know how exactly field source="/var/log/alerts_splunk.log" hostname="*" (name="df.*" AND value>99) OR (name="*.var" AND value>95) | stats count by hostname name value | dedup hostname name | sort value desc
I don't quite understand statements: dedup date_wday <fieldofinterest>
😞
Remove duplicate occur at day of the week?
Hello @jt_splunk
The statement: | where count > 4 | sort value desc
does not work for me:(
Does where
word is not deprecated?
And why do You dedup by date_wday hostanem and name
instead only by date_wday
"If I understand correctly, for each day of the week, you only care if an event is present or not" -- correct
"Then, you want to know if that event occurs over the course of 5 days, right?" -- Then I want to know if that event occurs 5 times or more in the week (e.g. Monday, Tuesday, Wednesday, Friday and Sunday: 5 times in the week)
(e.g.2 Monday, Tuesday, Wednesday, Thursday, Friday and Sunday: 6 times in the week
Best Regards,
C4r7m4n
Hello @jt_splunk
It's working, thx
Hi @jt_splunk
Sorry I made a mistake I wrote count as not count by 😞
I will test it and give you respond... 😉
I just verified in 4.3.1 that where is still a current and active search keyword. So "| where count > 4" should work for you. What results are you getting when you use just the where portion?
Hi @jt_splunk
Thank you for your respond.
I don't know how exactly field source="/var/log/alerts_splunk.log" hostname="*" (name="df.*" AND value>99) OR (name="*.var" AND value>95) | stats count by hostname name value | dedup hostname name | sort value desc
I don't quite understand statements: dedup date_wday <fieldofinterest>
😞
Remove duplicate occur at day of the week?
If I understand correctly, for each day of the week, you only care if an event is present or not. Then, you want to know if that event occurs over the course of 5 days, right? Try this:
source="/var/log/alerts_splunk.log" hostname="" (name="df." AND value>99) OR (name="*.var" AND value>95) | dedup date_wday hostname name | stats count by hostname name value | where count > 4 | sort value desc
Depending on your dataset, it shouldn't be that hard. Try something like this (modify the dates accordingly):
earliest=3/18/2012:0:0:0 latest=3/23/2012:0:0:0 | dedup date_wday
If you want a relative timeframe, make earliest=-7d.
You will probably have to use a combination of transaction and eval commands. Can you post a sample of your events? That would really help.