Splunk Search

Looking for disconnection events that do NOT have a matching reconnection event

CMSchelin
Path Finder

The context: We have an integration between a tool and AD using agents. Every so often, the tool reports that the agent disconnected, and then about 5-20 minutes later, it'll say the agent reconnected.

I already have a search that uses transaction to get me what I need in general, but it's not quite what I'm looking for. The draft:

index="connector" eventType="ad.agent.connect"
| rex field=target "\"displayName\": \"(?<agent>[^\"]+)\".+"
| transaction agent startswith="ad.agent.disconnected" endswith="ad.agent.reconnected"
| table _time, displayMessage, agent
| sort _time

What I actually want: Only events that do not have an event "ad.agent.reconnected" within 30 minutes of the "ad.agent.disconnected" event.

maxspan isn't doing it for me; I need something more like minspan, or invert=true, or something. The agent name isn't unique enough to go "if you never see this field again".

Help?

0 Karma

to4kawa
Ultra Champion
 index="connector" eventType="ad.agent.connect"
 | rex field=target "\"displayName\": \"(?<agent>[^\"]+)\".+"
 | reverse
 | streamstats count(eval(searchmatch("ad.agent.disconnected"))) as session by agent
 | stasts min(_time) as _time range(_time) as duration by session agent 

check this result, and

| where duration > 30 * 60 
0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...