Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Only execute if greater than or equal to x mins

hl
Path Finder
‎08-20-2025 09:26 AM

Hello looking for way to create an alert based off the difference between times and only execute if the time is greater than or equal to x mins. 

 

Code: 

index=net* sourcetype=pan:* 
action="blocked" OR action="failure"
|stats count min(_time) as firstTime 
max(_time) as lastTime
by src_ip,dest,dest_port,rule,tag,log_subtype,transport |where count >= 10 
|eval diff=lastTime-firstTime
```|eval diff=strftime(diff, "%d %H:%M:%S") ```
|eval diff=strftime(diff, "%M:%S") 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`

 Regards, 

 

Labels (1)
Labels
0 Karma
Reply

hl
Path Finder
‎08-20-2025 11:52 AM

Actually I think I figured this out!

 

index=netfw sourcetype=pan:* 
action="blocked" OR action="failure"
|stats count min(_time) as firstTime max(_time) as lastTime by src_ip |where count >= 10
|eval diff=floor((lastTime-firstTime)) 
|eval "Difference in Mins" = floor((diff / 60)) 
|eval SortbyMins="Difference in Mins"
|fields - diff,SortbyMins
|sort - SortbyMins

| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
0 Karma
Reply

hl
Path Finder
‎08-20-2025 10:03 AM

Created this instead, 

index=net* sourcetype=pan:* 
action="blocked" OR action="failure"
|stats count min(_time) as firstTime max(_time) as lastTime by src_ip |where count >= 10
|eval diff=toString(lastTime-firstTime, "duration")
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`

 but still trying to figure out how to only show results if greater than x mins. ?  

0 Karma
Reply

hl
Path Finder
‎08-20-2025 09:29 AM

I just wanna make variable and assign it but I know I can't do that and you can't create boolean on an eval 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...