Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to use streamstats over a 3 minute window over a 9 minute search to pick up three consecutive events?

becksyboy
Contributor
‎12-31-2024 01:43 AM

Hi I have an ask to create an alert that must trigger if there are more than 50 '404' status codes in a 3 min period. This window must repeat three times in a row - for e.g 9:00 - 9:03, 9:03 - 9:06, 9:06 - 9:09.   The count should trigger only for those requests with 404 status code and for certain urls. The alert must only trigger if there are three values over 50 in consecutive 3 min windows.

I have some initial SPL not using streamstats, but was wondering if streamstats would be better?

Initial SPL - run over a 9 min time range:

index="xxxx" "httpMessage.status"=404 url = "xxxx/1" OR url="xxxx/2" OR url ="xxxx/3"
| timechart span=3m count(httpMessage.status) AS HTTPStatusCount
| where HTTPStatusCount>50
| table _time HTTPStatusCount

 

thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-31-2024 02:02 AM

What you are doing will work fine assuming your alert is triggering is there are 3 results i.e. all of the 3 minute slots in your 9 minute period have counts greater than 50.

Using streamstats would give you something different and doesn't quite fit with your stated requirement.

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-31-2024 02:02 AM

What you are doing will work fine assuming your alert is triggering is there are 3 results i.e. all of the 3 minute slots in your 9 minute period have counts greater than 50.

Using streamstats would give you something different and doesn't quite fit with your stated requirement.

Reply
Solved! Jump to solution

becksyboy
Contributor
‎12-31-2024 02:14 AM

Thanks for the additional validation on my initial search.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-31-2024 02:26 AM
It exactly this way. The key word here is fixed window or sliding window. With fixed window time chart is correct way to do it, but if you need to look those event in sliding window (it change start and end time continuously based on current event) then you must use stream stats.
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...