Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write a query to have count of time where ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
guru865
Path Finder
03-01-2017
08:57 AM
here is a search i'm using for one alert.
sourcetype=xx source="*yy" method=* timeDiff| eval Time=ltrim(rtrim(timeDiff,"S"),"PT") | stats count(Time) as Total_Hits | search Time>20
The above search fulfills the alert request to get the total hits where time is greater than 20 s.
I would like to have the count of total hits on whole and greater than 20 s hits and would like to trigger the alert .
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-01-2017
09:15 AM
How about this. This alert query will return result (so you can alert when 'number of events greater than zero') when there are events with Time>20.
sourcetype=xx source="*yy" method=* timeDiff
| eval Time=ltrim(rtrim(timeDiff,"S"),"PT")
| stats count as Total_Hits count(eval(Time>20)) as AlertField
| where AlertField>0
| rename AlertField as "Hits_With_Time>20"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-01-2017
10:25 AM
Like this:
sourcetype=xx source="*yy" method=* timeDiff | eval Time=ltrim(rtrim(timeDiff,"S"),"PT")
| stats count(eval(Time>20)) AS Time20Plus | search Time20Plus>20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-01-2017
09:15 AM
How about this. This alert query will return result (so you can alert when 'number of events greater than zero') when there are events with Time>20.
sourcetype=xx source="*yy" method=* timeDiff
| eval Time=ltrim(rtrim(timeDiff,"S"),"PT")
| stats count as Total_Hits count(eval(Time>20)) as AlertField
| where AlertField>0
| rename AlertField as "Hits_With_Time>20"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
guru865
Path Finder
03-01-2017
01:59 PM
Thanks alot somesoni2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
03-01-2017
09:08 AM
At the very least, you need to test against the name of the field that you just created, because after the stats command, the field Time no longer exists.
| stats count(Time) as Total_Hits | search Total_Hits>20
more likely, you want
| stats count(eval(Time>20)) as Hits20 count as HitsTotal
Here's some test code you can play with -
|makeresults | eval Time="20 45 1 4 13 25 71 819 12" | makemv Time |mvexpand Time
| stats count(eval(Time>20)) as Hits20 count as HitsTotal
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
