While doing logfile analysis, I stumbled across a problem.
The important part of my logs looks like this:
Timestamp Source Destination
Sep 20 15:00:00 10.1.10.150 10.1.10.160
Sep 20 15:03:00 10.1.10.150 10.1.10.160
Sep 20 17:00:00 10.1.10.150 10.1.10.160
Sep 20 17:02:00 10.1.10.150 10.1.10.160
Sep 20 17:02:15 10.1.10.150 10.1.10.160
I'm calculating the interval between the events with
sourcetype="syslog" | transaction src dst dst_port keepevicted=true | sort + src | delta _time AS duration | eval duration=abs(duration) | table _time duration src
which works as it should; I get:
_time duration src
Sep 20 15:00:00 0 10.1.10.150
Sep 20 15:03:00 180 10.1.10.150
Sep 20 17:00:00 7020 10.1.10.150
Sep 20 17:02:00 120 10.1.10.150
Sep 20 17:02:15 15 10.1.10.150
Now I want to sum up the intervals (which itself is no problem) by Source, but only until an event occurs where the duration is >X, lets say 3600 seconds.
Whenever such an event occurs, I want a new line in my results and a new sum to begin, so the table for the given example should look like this:
from until sum(duration) src
Sep 20 15:00:00 Sep 20 15:03:00 180 10.1.10.150
Sep 20 17:00:00 Sep 20 17:02:15 135 10.1.10.150
I'm having trouble realizing this, since there are no real conditions or loops implemented in splunk, any suggestions?
I'm not sure I quite follow your transaction needs, or how you get the delta from the individual parts of a transaction.
But to me it seems like you could use the
maxpause parameter for
transaction to create a new transaction, i.e. if the pause between two events is longer than
maxpause close the first transaction and start a new one.
Also, specifying more than one field for a transaction, may not have the effect you are looking for. See the example below.
Hope this may be of some help,
Thanks for your reply, by now I figured it out, using two transactions with only one specified field.
sourcetype="syslog" | sort 0 - src _time | transaction src maxpause=3840s keepevicted=true | delta _time AS d | eval d=abs(d) | transaction src maxpause=3840s | ... | table ...