Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to Exclude event SERVICE_START observed within 10 minutes from same host after observing service stop

HPACHPANDE
Explorer
‎12-25-2023 04:37 AM

(index=123) sourcetype=XYZ AND type IN ("SERVICE_STOP") )  | _time host type _raw  is the main query where we are searching host where service stop has been observed

Here in this scenario we need to exclude if SERVICE_START event seen with same host within 10 Minutes.


Kindly help me with the query
Thanks in Advance !!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-25-2023 06:16 AM

First, search for both SERVICE_STOP and SERVICE_START events.  Then use the dedup command to get the most recent event for each host.  Filter out the SERVICE_START events and anything that happened in the last 10 minutes.  Whatever is left will be a SERVICE_STOP event at least 10 minutes old without a matching SERVICE_START.

index=foo sourcetype=XYZ type IN (SERVICE_START SERVICE_STOP)
| dedup host
| where type=SERVICE_STOP AND _time < relative_time(now(), "-10m")
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

HPACHPANDE
Explorer
‎12-25-2023 06:43 AM

Hello richgalloway,

 

It worked, Thanks !!

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-25-2023 06:16 AM

First, search for both SERVICE_STOP and SERVICE_START events.  Then use the dedup command to get the most recent event for each host.  Filter out the SERVICE_START events and anything that happened in the last 10 minutes.  Whatever is left will be a SERVICE_STOP event at least 10 minutes old without a matching SERVICE_START.

index=foo sourcetype=XYZ type IN (SERVICE_START SERVICE_STOP)
| dedup host
| where type=SERVICE_STOP AND _time < relative_time(now(), "-10m")
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...