Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Looking for new events

richnavis
Contributor
‎05-06-2016 11:57 AM

Good Day Everyone,

I"m trying to construct a search that will search our weblogs over a one hour period and report on IP addresses that didn't appear in the first half hour. I would like to display the sum of new IPs in a timechart. The approach I'm started to take is to search the hour, create 1 minute buckets, group by IP address, and add a column that indicates if it was first half or second half of the hour so the data now looks something like this..
Time IP &nbsp Count Group
08:00 10.10.10.10 20 First
08:01 10.10.10.10 27 First
08:00 10.10.10.11 3 First
.....
08:32 10.10.10.11 79 Second
08:33 10.10.10.14 11 Second
08:34 10.10.10.14 44 Second
...

So, now I'm trying to Create a TimeChart that includes ALL values from first group, and ONLY IPs in the second group that aren't included in the first group. This is where I'm stumped.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-07-2016 08:30 AM

Like this:

... | eval date_minute = strftime(_time, "%M") | eval FirstOrSecond=if((date_minute>=30), "Second", "First") | eventstats dc(FirstOrSecond) AS numHalves BY IP | where FirstOrSecond="First" OR (FirstOrSecond="Second" AND numHalves=1) | timechart ...
0 Karma
Reply

jensonthottian
Contributor
‎05-06-2016 12:11 PM

index=abc earliest=-60m latest=-31m |table _time IP |eval Group=First | join _time [search index= abc NOT [search index=abc earliest=-60m latest=-31m |dedup IP| table IP] earliest=-30m latest=now |table _time IP|eval Group=Second]| table _time Group

This should give you result from group 2 avoiding IP's from first group.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...