Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tstats Summary Join Different Search Ranges

sarausch
New Member
‎08-08-2020 12:12 AM

Hey Guys,

I am struggling arround a few days now, but I cant find a good/efficient solution for my problem.

I want to check 3 different windows event-ids (for example 1,2 and 3), where 2 of them the third precedes. This is no problem at all, but my scheduled search should look for event-id 3 within a timerange of 25 minutes. 

The problem is now, that the preceding event-id (1,2) could occur within a timerange of 10h BEFORE the event-id 3. If there are not such preceding events, a alarm should be triggered. I could let the search run for the last 10 hours, but I think there will be many false alarms.

In short:
- check for event-id 3 within -20m@m and -1m@m

- check for every found event-id 3 whether there are preceding event-ids 1 OR 2 within the last 10h

At the moment I am doing so:

 

 

 

| tstats summariesonly=true allow_old_summaries=true count AS eventCount_3 from datamodel=Windows
...
| join type=left user [| tstats summariesonly=true allow_old_summaries=true count AS eventCount_1 from datamodel=Windows
...
| join type=left user [| tstats summariesonly=true allow_old_summaries=true count AS eventCount_2 from datamodel=Windows
...
| eval goodAuth=if((eventCount_1>=1 OR eventCount_2>=1),1,0)

 

 

 

Unfortunately the "earliest" and "latest"-Statement will not work with "tstats summariesonly".

I hope you understand my problem.

Best Regards,

Tim

Labels (2)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎08-08-2020 02:26 AM 
summariesonly
Syntax: summariesonly=<bool>
Description: Only applies when selecting from an accelerated data model. When false, generates results from both summarized data and data that is not summarized. For data not summarized as TSIDX data, the full search behavior will be used against the original index data. If set to true, 'tstats' will only generate results from the TSIDX data that has been automatically generated by the acceleration and non-summarized data will not be provided.
Default: false

your data model is not accelerated yet,I guess.

0 Karma
Reply

sarausch
New Member
‎08-09-2020 11:08 PM

@to4kawa : I think you got me wrong. Our datamodel is accelerated.

But what I want todo is, search for ein event within the last 25mins, but within the search over 25min should be searched for other events in a timerange of the last 10hours.

For Example:

- searching for event-id 3 in the timerange 11:00 - 11:25

- check within the same search for event-ids 1 and 2 in the timerange of 01:00 - 11:00

So, 2 searches in one, but every search has its own timerange and this with tstats summariesonly=true.

I hope I could it explain well.

BR,

Tim

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...