Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Only execute if greater than or equal to x mins

hl
Path Finder
4 weeks ago

Hello looking for way to create an alert based off the difference between times and only execute if the time is greater than or equal to x mins. 

 

Code: 

index=net* sourcetype=pan:* 
action="blocked" OR action="failure"
|stats count min(_time) as firstTime 
max(_time) as lastTime
by src_ip,dest,dest_port,rule,tag,log_subtype,transport |where count >= 10 
|eval diff=lastTime-firstTime
```|eval diff=strftime(diff, "%d %H:%M:%S") ```
|eval diff=strftime(diff, "%M:%S") 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`

 Regards, 

 

Labels (1)
Labels
0 Karma
Reply

hl
Path Finder
4 weeks ago

Actually I think I figured this out!

 

index=netfw sourcetype=pan:* 
action="blocked" OR action="failure"
|stats count min(_time) as firstTime max(_time) as lastTime by src_ip |where count >= 10
|eval diff=floor((lastTime-firstTime)) 
|eval "Difference in Mins" = floor((diff / 60)) 
|eval SortbyMins="Difference in Mins"
|fields - diff,SortbyMins
|sort - SortbyMins

| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
0 Karma
Reply

hl
Path Finder
4 weeks ago

Created this instead, 

index=net* sourcetype=pan:* 
action="blocked" OR action="failure"
|stats count min(_time) as firstTime max(_time) as lastTime by src_ip |where count >= 10
|eval diff=toString(lastTime-firstTime, "duration")
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`

 but still trying to figure out how to only show results if greater than x mins. ?  

0 Karma
Reply

hl
Path Finder
4 weeks ago

I just wanna make variable and assign it but I know I can't do that and you can't create boolean on an eval 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...