Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there an alternative command for the timeshift(Sumo logic ) in splunk?

Vikasreddys
Engager
‎07-25-2022 10:42 PM

Hi Everyone,

I need to migrate the report from sumo logic to splunk . In sumo logic report we have time compare option The compare operator allows you to compare current search results with data from a past time period for aggregate searches


For eg : if you wanted to compare the behavior of backfill errors count with the span of 5min of events per hour  along with the timeshift 3min . it gives the count of events for every 5min along with the count at 3 min prior to that events .The compare operator allows you to compare current search results with data from a past time period for aggregate searches


How to achieve this in Splunk ?

Here is the sample sumo logic query 

(_sourceCategory=app (error OR fail*) AND exception)

| "Quote Sequences Error"as ALERT_DESC
| _sourcecategory as SUMO_SOURCE_CATEGORY
| "APP-PROD" as APP_ID
| _sourcehost as APP_SERVER_NAME
| _sourcename as APP_SOURCE_CATEGORY
| _sourcecategory as SUMO_SOURCE_CATEGORY
| timeslice 3m
| count by _timeslice,APP_ID,APP_SERVER_NAME,APP_SOURCE_CATEGORY,SUMO_SOURCE_CATEGORY,ALERT_DESC
| formatDate(_timeslice, "HH:mm:ss:SSS") as EventTime
| if(_count > "100","1",
if(_count > "50","2",
if(_count > "3" and EventTime > "12:00:00" and EventTime < "05:00:00", "4",
if(_count > "3", "3","0")))) as sumo_severity
| format ("%s total errors in the last 3 minutes", _count) as notes
| compare with timeshift 3m
| if (isBlank(sumo_severity_3m) , "0", sumo_severity_3m) as sumo_severity_3m
| where sumo_severity != sumo_severity_3m and !(isblank(sumo_severity))
| sort by _timeslice desc | fields - EventTime, EventTime_3m









 


Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2022 11:14 PM

Hi @Vikasreddys ,

did you already seen this sitehttps://uncoder.io/ to translate Sumo Login Queries in Splunk Searches?

Now, when I'm answering to your question, the service is temporary unavailable so I cannot directly answer, but it will be back soon.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...