Splunk Search

Sum until contition is met, then begin new sum

Path Finder

Hello everybody,

While doing logfile analysis, I stumbled across a problem.

The important part of my logs looks like this:

Timestamp Source Destination
Sep 20 15:00:00 10.1.10.150 10.1.10.160
Sep 20 15:03:00 10.1.10.150 10.1.10.160
Sep 20 17:00:00 10.1.10.150 10.1.10.160
Sep 20 17:02:00 10.1.10.150 10.1.10.160
Sep 20 17:02:15 10.1.10.150 10.1.10.160

I'm calculating the interval between the events with

sourcetype="syslog" | transaction src dst dst_port keepevicted=true | sort + src | delta _time AS duration | eval duration=abs(duration) | table _time duration src

which works as it should; I get:

_time duration src
Sep 20 15:00:00 0 10.1.10.150
Sep 20 15:03:00 180 10.1.10.150
Sep 20 17:00:00 7020 10.1.10.150
Sep 20 17:02:00 120 10.1.10.150
Sep 20 17:02:15 15 10.1.10.150


Now I want to sum up the intervals (which itself is no problem) by Source, but only until an event occurs where the duration is >X, lets say 3600 seconds.
Whenever such an event occurs, I want a new line in my results and a new sum to begin, so the table for the given example should look like this:

from until sum(duration) src
Sep 20 15:00:00 Sep 20 15:03:00 180 10.1.10.150
Sep 20 17:00:00 Sep 20 17:02:15 135 10.1.10.150

I'm having trouble realizing this, since there are no real conditions or loops implemented in splunk, any suggestions?

0 Karma

Ultra Champion

I'm not sure I quite follow your transaction needs, or how you get the delta from the individual parts of a transaction.

But to me it seems like you could use the maxpause parameter for transaction to create a new transaction, i.e. if the pause between two events is longer than maxpause close the first transaction and start a new one.

Also, specifying more than one field for a transaction, may not have the effect you are looking for. See the example below.

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Transaction#Description

Hope this may be of some help,

K

Path Finder

Thanks for your reply, by now I figured it out, using two transactions with only one specified field.

sourcetype="syslog" | sort 0 - src _time | transaction src maxpause=3840s keepevicted=true | delta _time AS d | eval d=abs(d) | transaction src maxpause=3840s | ... | table ...

0 Karma