Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to use streamstats over a 3 minute window over a 9 minute search to pick up three consecutive events?

becksyboy
Contributor
‎12-31-2024 01:43 AM

Hi I have an ask to create an alert that must trigger if there are more than 50 '404' status codes in a 3 min period. This window must repeat three times in a row - for e.g 9:00 - 9:03, 9:03 - 9:06, 9:06 - 9:09.   The count should trigger only for those requests with 404 status code and for certain urls. The alert must only trigger if there are three values over 50 in consecutive 3 min windows.

I have some initial SPL not using streamstats, but was wondering if streamstats would be better?

Initial SPL - run over a 9 min time range:

index="xxxx" "httpMessage.status"=404 url = "xxxx/1" OR url="xxxx/2" OR url ="xxxx/3"
| timechart span=3m count(httpMessage.status) AS HTTPStatusCount
| where HTTPStatusCount>50
| table _time HTTPStatusCount

 

thanks.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-31-2024 02:02 AM

What you are doing will work fine assuming your alert is triggering is there are 3 results i.e. all of the 3 minute slots in your 9 minute period have counts greater than 50.

Using streamstats would give you something different and doesn't quite fit with your stated requirement.

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-31-2024 02:02 AM

What you are doing will work fine assuming your alert is triggering is there are 3 results i.e. all of the 3 minute slots in your 9 minute period have counts greater than 50.

Using streamstats would give you something different and doesn't quite fit with your stated requirement.

Reply
Solved! Jump to solution

becksyboy
Contributor
‎12-31-2024 02:14 AM

Thanks for the additional validation on my initial search.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎12-31-2024 02:26 AM
It exactly this way. The key word here is fixed window or sliding window. With fixed window time chart is correct way to do it, but if you need to look those event in sliding window (it change start and end time continuously based on current event) then you must use stream stats.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...