Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Return only those events who exist in consecutive time bins

jpawloski
Path Finder
‎10-04-2019 06:23 PM

So I'm working on a search that returns standard network stuff and using a bin to bucket the data by a day. Something like this:

base search earliest=-7d | bin _time span=1d as window | stats count(dest) as destination values(this) as this values(that) as that by ip window | where destination > 2

So this works but what I'm really interested in seeing are those ip values that exist in more than one window bin. I can't think of a way to break it down from what has effectively been the end of the search up to this point. Any ideas?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-05-2019 04:31 AM

Hi
If you don't have fields, you could use something like this:

 base search earliest=-7d
| timechart span=1d count
| delta count AS delta
| where delta=0 AND count=1

In this way, you have all the day where there's

If instead you have to check the difference also using fields (as ip or windows) you have to use the transaction command that's not so performant.

base search earliest=-7d
| transaction maxspan=2m ip window
| where eventcount>1

This search runs only if you have at max one event in each hour

There's also another solution that seems to run on my test data but you should test:

base search earliest=-7d
| eval col=ip." ".window
| timechart span=1m dc(col) AS count
| delta count AS delta
| where delta=0 AND count>0

Bye.
Giuseppe

0 Karma
Reply

ololdach
Builder
‎10-05-2019 12:47 AM

Hi jpawloski,
right after the bin command, you have a bunch of IP values each with a window value attached to it. You want to find those IP that are in two or more consecutive windows. My first approach to this would be to use transaction ip maxpause=1d . That would group all those events, that are consecutive and discard the rest.
Hope it helps
Oliver

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...