Need a query for the same event repeated in a defi...

esaionz · ‎04-08-2020

Hi,
I need a query to show me all occurrances when the same message is logged within 200ms.
Log example:

Message="Landed on page"
xxxxxx
yyyyyyy
Message="Landed on page"
zzzzzzz
uuuuu
jjjjjjjjjjj
Message="Landed on page"

I need to show all Message="Landed on page" which happened only with 200ms time from each other.
Thanks!

DalJeanis · ‎04-10-2020

try this. (replace with the actual index and sourcetype)

index=myindex sourcetype=something Message="Landed on page"
| streamstats current=f window=1 last(_time) as next_time by Message
| reverse
| streamstats current=f window=1 last(_time) as last_time by Message
| where (next_time < _time + 0.2) OR (laxt_time > _time - 0.2)

This will give you every Message that is within 200 ms (0.2 second) of another of the same Message.

to4kawa · ‎04-08-2020

use streamstats range() and select with where

esaionz · ‎04-08-2020

I'm new to Splunk, how should I use it?. index=* message where message is repeated within 200ms. Thanks.

to4kawa · ‎04-08-2020

see reference and try examples. and then, make your query.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where

your log is unclear. so , you should make query yourself.

Need a query for the same event repeated in a defined time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation