Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search for when "Event X" happens within x hours o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have this search:
("WARNING: ERROR Message" host=SERVER1) OR (EventCode=1074 Shutdown_Type="*")
This shows both the "Error Message" events and the "EventCode=1074 Shutdown_Type="*"" events.
However - I am interrested in only showing the "EventCode=1074 Shutdown_Type="*" events that occur within X hours of the "Error Message" events.*
My results should contain all the ("WARNING: ERROR Message" host=SERVER1) events and only the (EventCode=1074 Shutdown_Type="*") that occur within X hours of the ("WARNING: ERROR Message" host=SERVER1) events.
Can someone point me in the right direction? Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi bravon,
The map command will work, though there may be more efficient ways to do it that avoids a subsearch. As an example, this will match completed search commands for 5 mins after a Splunk login.
index=_audit action="login attempt" | eval first=_time | eval last=relative_time(_time, "+5mins")
| map search="search index=_audit action=\"login attempt\" OR (action=search info=completed) earliest=$first$ latest=$last$"|sort - _time
Note: the map command needs action=\"login attempt\" (escape quotes, if used/needed), otherwise only the action=search... results would be returned, which would not meet your requirements.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi bravon,
The map command will work, though there may be more efficient ways to do it that avoids a subsearch. As an example, this will match completed search commands for 5 mins after a Splunk login.
index=_audit action="login attempt" | eval first=_time | eval last=relative_time(_time, "+5mins")
| map search="search index=_audit action=\"login attempt\" OR (action=search info=completed) earliest=$first$ latest=$last$"|sort - _time
Note: the map command needs action=\"login attempt\" (escape quotes, if used/needed), otherwise only the action=search... results would be returned, which would not meet your requirements.
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi bravon,
This search may prove more efficient, as it does not use a sub-search like map.
index=_audit action="login attempt" OR (action=search info=completed)
| eval matchtime = if(match(action,"login attempt"), _time, null)
| eval extendtime = if(isnotnull(matchtime), relative_time(matchtime,"+300secs"), null)
| reverse | streamstats last(matchtime) as matched, last(extendtime) as lasttime
| where _time >= matched AND _time <= lasttime | reverse
The reverse is necessary for the streamstats command to work correctly, as it needs to work from earliest to latest, in this case. On a larger dataset the reverse may prove less efficient than the map command.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
