Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How would I create a search for event that happens but exclude the first 45 minutes?

mrkala
New Member
‎11-25-2019 03:22 AM

I am new to Splunk and trying to create an alert for a message however I keep getting false positives on the message been sent seconds apart.

I would like the search to find event with the message been sent over 45 minutes.

Anyone have any ideas or is the search too complex?

index=wh_trading_feeds KICKOFF_*_FIRST_HALF NOT KICKOFF_*_FIRST_HALF_ET "attrs.MARATHON_APP_ID"="/whc/tbc01/feeds-incident-notifier" | stats count by whId | where count = 2 | eval eventTitle = "INFO Event KO modified: http://gtp-ui.trading-services.prod.williamhill.plc/#!/football/event/"+whId earliest=@now() latest=+45m | table eventTitle
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-25-2019 05:22 AM

Hi @mrkala,
sorry but in your search there are some errors: after the stats command, you can use only the fields that you used in stats, in other words, in your search, only whld, so you haven't more eventTitle and _time, so you have to rebuild your search modifying the stats command.

In addition I don't understand the time condition you want to eliminate false positives.

Anyway to solve the first problem, see below:

index=wh_trading_feeds KICKOFF_FIRST_HALF NOT KICKOFF_FIRST_HALF_ET "attrs.MARATHON_APP_ID"="/whc/tbc01/feeds-incident-notifier" 
| stats values(eventTitle) AS eventTitle earliest(_time) AS _time count by whId 
| where count = 2 
| eval eventTitle = "INFO Event KO modified: http://gtp-ui.trading-services.prod.williamhill.plc/#!/football/event/".whId 
| table eventTitle

For the second, could you give more infos about the time frame?

Ciao.
Giuseppe

0 Karma
Reply

mrkala
New Member
‎11-25-2019 07:06 AM

@gcusello Thanks Giuseppe.

So the time frame will be at the first point the whid comes in to prevent whid coming twice seconds or minutes apart.

Basically after the first event comes in KICKOFF_FIRST_HALF I dont want this message to come up on the search for at least 45 minutes

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-25-2019 07:57 AM

Let me understand:
for each whId, after that Splunk found a message "KICKOFF_FIRST_HALF" you don't want to see again rows up to 45 minutes, is it correct?

if this is your requirement, you could try something like this, running every 5 minutes:

 index=wh_trading_feeds KICKOFF_FIRST_HALF NOT KICKOFF_FIRST_HALF_ET earliest=-5m@m latest=now "attrs.MARATHON_APP_ID"="/whc/tbc01/feeds-incident-notifier" NOT [ search  index=wh_trading_feeds KICKOFF_FIRST_HALF NOT KICKOFF_FIRST_HALF_ET "attrs.MARATHON_APP_ID"="/whc/tbc01/feeds-incident-notifier" earliest=-50m@m latest=-5m@m | dedup whId | fields whId ]
 | stats values(eventTitle) AS eventTitle earliest(_time) AS _time count by whId 
 | where count = 2 
 | eval eventTitle = "INFO Event KO modified: http://gtp-ui.trading-services.prod.williamhill.plc/#!/football/event/".whId 
 | table eventTitle

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...