Splunk Search

I want to write a search that should give me certain values at certain time

Abha11
Explorer

Hi,

I am expecting an event at 7:15 and I want write a search that should give me results as below:

 

If event arrived at 7:15 — result -1 

If event not arrived at 7:15  result - 2

if event doesn’t arrive 30mins after 7:15 - result 3 

the moment I received the event result-1

 

thank you for your help in advance.

Labels (1)
0 Karma

alonsocaio
Contributor

Hi,

Maybe you can try using the query below as base for your need:

 

...
| eval expected_date = strftime(now(), "%m-%d-%Y 7:15")
| eval expected_timestamp= strptime(expected_date, "%m-%d-%Y %H:%M")
| eval event_date = strftime(_time, "%m-%d-%Y %H:%M")
| eval event_timestamp = strptime(event_date, "%m-%d-%Y %H:%M")
| eval diff = event_timestamp - expected_timestamp
| eval result = case(diff = 0, "1", diff >= 1800, "3", 1=1, "2")
| table _time, expected_date, event_date, diff, result

 

The output result was:

_timeexpected_dateevent_datediffresult
2020-06-11 07:45:0006-11-2020 7:1506-11-2020 07:451800.0000003
2020-06-11 07:50:0006-11-2020 7:1506-11-2020 07:502100.0000003
2020-06-11 07:00:0006-11-2020 7:1506-11-2020 07:00-900.0000002
2020-06-11 07:20:0006-11-2020 7:1506-11-2020 07:20300.0000002
2020-06-11 07:15:0006-11-2020 7:1506-11-2020 07:150.0000001
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...