Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Only execute if greater than or equal to x mins

hl
Path Finder
‎08-20-2025 09:26 AM

Hello looking for way to create an alert based off the difference between times and only execute if the time is greater than or equal to x mins. 

 

Code: 

index=net* sourcetype=pan:* 
action="blocked" OR action="failure"
|stats count min(_time) as firstTime 
max(_time) as lastTime
by src_ip,dest,dest_port,rule,tag,log_subtype,transport |where count >= 10 
|eval diff=lastTime-firstTime
```|eval diff=strftime(diff, "%d %H:%M:%S") ```
|eval diff=strftime(diff, "%M:%S") 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`

 Regards, 

 

Labels (1)
Labels
0 Karma
Reply

hl
Path Finder
‎08-20-2025 11:52 AM

Actually I think I figured this out!

 

index=netfw sourcetype=pan:* 
action="blocked" OR action="failure"
|stats count min(_time) as firstTime max(_time) as lastTime by src_ip |where count >= 10
|eval diff=floor((lastTime-firstTime)) 
|eval "Difference in Mins" = floor((diff / 60)) 
|eval SortbyMins="Difference in Mins"
|fields - diff,SortbyMins
|sort - SortbyMins

| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
0 Karma
Reply

hl
Path Finder
‎08-20-2025 10:03 AM

Created this instead, 

index=net* sourcetype=pan:* 
action="blocked" OR action="failure"
|stats count min(_time) as firstTime max(_time) as lastTime by src_ip |where count >= 10
|eval diff=toString(lastTime-firstTime, "duration")
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`

 but still trying to figure out how to only show results if greater than x mins. ?  

0 Karma
Reply

hl
Path Finder
‎08-20-2025 09:29 AM

I just wanna make variable and assign it but I know I can't do that and you can't create boolean on an eval 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...