Perform Transaction for only repeating values of f...

omend · ‎07-16-2013

Hi,

I'm looking to write a splunk search that joins consecutive similar events.
The data is of IP Addresses allocation to machine names, so the lines are of the following format:

[Start Time],[End Time],[Hostname],[IP Address]
10:00,10:15,MINE-PC,10.0.0.2
10:15,12:00,MINE-PC,10.0.0.2
12:00,12:45,MINE-PC,10.0.0.5
12:45,13:08,MINE-PC,10.0.0.5
13:08,13:37,MINE-PC,10.0.0.2

I would like to join all consecutive identical IP Addresses so the results should look like:
[Start Time],[End Time],[Hostname],[IP Address]
10:00,12:00,MINE-PC,10.0.0.2
12:00,13:08,MINE-PC,10.0.0.5
13:08,13:37,MINE-PC,10.0.0.2

Could anyone please provide a short search code?

Thanks,
Ori.

dmlee · ‎07-16-2013

may I know if the live time of an allocated IP is always 15 minutes or can be any range ?
if the live time is always 15 minutes , you can try this :

sourcetype="omend" | rex "(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P[^,]+)" | transaction maxpause=15m IP HostName

omend · ‎07-16-2013

Unfortunately the 15 minutes bucket is only for the example purposes, it can be any time range.

Perform Transaction for only repeating values of field

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

Perform Transaction for only repeating values of field

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases