Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Query to compute the count of consecutive hourly violations per day

iTechEvent
Explorer
‎05-01-2014 07:57 PM

I have data like this...

  • Date - Hour - Sample Number
  • 05/01/2014 - 10 - 200
  • 05/01/2014 - 11 - 201
  • 05/01/2014 - 12 - 202
  • 05/01/2014 - 15 - 205
  • 05/01/2014 - 16 - 206
  • 05/01/2014 - 20 - 210

On 05/01/2014 the max number of consecutive hourly violations i.e. sample 200,201,202 is 3 and occurred between hours 10 to 12.

I have data like this for each day for a month.

I need a splunk query to computer the per day max consecutive hourly violations and the time range between in which it occurred.

Similarly for the entire month I would like the date in which the max number of hourly violations occurred for the month and time range of day.

Any help will be appreciated.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-02-2014 01:05 AM

This solution assumes that your event timestamp (_time) corresponds to the Date and Hour in your events.

yoursearchhere
| transaction Date maxpause=61m
| eval earliestHour=strftime(_time,"%H")
| eval latestHour=strftime(_time+duration,"%H")
| eval errorCount = eventcount
| table Date earliestHour latestHour errorCount
| sort Date -errorCount
| dedup Date

This should work great as long as you have less than 1000 events per Date. Otherwise, Splunk can get a little picky about compiling the transactions - and at that point the solution might start to slow down anyway.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎05-02-2014 01:05 AM

This solution assumes that your event timestamp (_time) corresponds to the Date and Hour in your events.

yoursearchhere
| transaction Date maxpause=61m
| eval earliestHour=strftime(_time,"%H")
| eval latestHour=strftime(_time+duration,"%H")
| eval errorCount = eventcount
| table Date earliestHour latestHour errorCount
| sort Date -errorCount
| dedup Date

This should work great as long as you have less than 1000 events per Date. Otherwise, Splunk can get a little picky about compiling the transactions - and at that point the solution might start to slow down anyway.

0 Karma
Reply
Solved! Jump to solution

manish_singh_77
Builder
‎01-08-2020 10:51 PM

@lguinn2

I have a query, there is a table where we have the job_result column, if we get consective 5 jobs failed then we need to be alerted.

0 Karma
Reply
Solved! Jump to solution

iTechEvent
Explorer
‎05-03-2014 12:27 PM

Awesome lguinn! Works well. Great Insight.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...