Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ignore events within a timespan?

bmorgenthaler
Path Finder
‎11-03-2020 06:53 PM

Is it possible to drop events if they occur within a certain timespan of each other? I'm specifically looking at VMware View logs and trying to corelate external user login sessions.  Normally there is a BROKER_USERLOGGEDIN event and then AGENT RECONNECT/CONNECT events.  Unfortunately everyonce in a while there is a network hiccup and a client disconnects/reconnects without a BROKER_USERLOGGEDIN event (like the attached picture).

bmorgenthaler_0-1604457264506.png

I want to ignore/drop any EventType=AGENT_DISCONNECT and EventType=AGENT_RECONNECT if they happen within 60 seconds.  

Labels (1)
Labels
Tags (1)
0 Karma
Reply

MuS
Legend
‎11-03-2020 07:16 PM

Hi bmorgenthaler ,

you can use `streamstats` to calculate the time difference and filter on that like this:

your base search here
| streamstats current=f last(_time) AS l_time last(EventType) AS l_EventType by EventType
| eval diff = _time - l_time 
| where diff < 60  AND l_EventType=="AGENT_DISCONNECT" AND EventType=="AGENT_RECONNECT"

This might needs tuning but will give you a starting point.

Hope this helps ...

cheers, MuS 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...