Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Looking for new events

richnavis
Contributor
‎05-06-2016 11:57 AM

Good Day Everyone,

I"m trying to construct a search that will search our weblogs over a one hour period and report on IP addresses that didn't appear in the first half hour. I would like to display the sum of new IPs in a timechart. The approach I'm started to take is to search the hour, create 1 minute buckets, group by IP address, and add a column that indicates if it was first half or second half of the hour so the data now looks something like this..
Time IP &nbsp Count Group
08:00 10.10.10.10 20 First
08:01 10.10.10.10 27 First
08:00 10.10.10.11 3 First
.....
08:32 10.10.10.11 79 Second
08:33 10.10.10.14 11 Second
08:34 10.10.10.14 44 Second
...

So, now I'm trying to Create a TimeChart that includes ALL values from first group, and ONLY IPs in the second group that aren't included in the first group. This is where I'm stumped.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-07-2016 08:30 AM

Like this:

... | eval date_minute = strftime(_time, "%M") | eval FirstOrSecond=if((date_minute>=30), "Second", "First") | eventstats dc(FirstOrSecond) AS numHalves BY IP | where FirstOrSecond="First" OR (FirstOrSecond="Second" AND numHalves=1) | timechart ...
0 Karma
Reply

jensonthottian
Contributor
‎05-06-2016 12:11 PM

index=abc earliest=-60m latest=-31m |table _time IP |eval Group=First | join _time [search index= abc NOT [search index=abc earliest=-60m latest=-31m |dedup IP| table IP] earliest=-30m latest=now |table _time IP|eval Group=Second]| table _time Group

This should give you result from group 2 avoiding IP's from first group.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...