- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Tstats Summary Join Different Search Ranges
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tstats Summary Join Different Search Ranges
Hey Guys,
I am struggling arround a few days now, but I cant find a good/efficient solution for my problem.
I want to check 3 different windows event-ids (for example 1,2 and 3), where 2 of them the third precedes. This is no problem at all, but my scheduled search should look for event-id 3 within a timerange of 25 minutes.
The problem is now, that the preceding event-id (1,2) could occur within a timerange of 10h BEFORE the event-id 3. If there are not such preceding events, a alarm should be triggered. I could let the search run for the last 10 hours, but I think there will be many false alarms.
In short:
- check for event-id 3 within -20m@m and -1m@m
- check for every found event-id 3 whether there are preceding event-ids 1 OR 2 within the last 10h
At the moment I am doing so:
| tstats summariesonly=true allow_old_summaries=true count AS eventCount_3 from datamodel=Windows
...
| join type=left user [| tstats summariesonly=true allow_old_summaries=true count AS eventCount_1 from datamodel=Windows
...
| join type=left user [| tstats summariesonly=true allow_old_summaries=true count AS eventCount_2 from datamodel=Windows
...
| eval goodAuth=if((eventCount_1>=1 OR eventCount_2>=1),1,0)
Unfortunately the "earliest" and "latest"-Statement will not work with "tstats summariesonly".
I hope you understand my problem.
Best Regards,
Tim
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
summariesonly
Syntax: summariesonly=<bool>
Description: Only applies when selecting from an accelerated data model. When false, generates results from both summarized data and data that is not summarized. For data not summarized as TSIDX data, the full search behavior will be used against the original index data. If set to true, 'tstats' will only generate results from the TSIDX data that has been automatically generated by the acceleration and non-summarized data will not be provided.
Default: falseyour data model is not accelerated yet,I guess.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa : I think you got me wrong. Our datamodel is accelerated.
But what I want todo is, search for ein event within the last 25mins, but within the search over 25min should be searched for other events in a timerange of the last 10hours.
For Example:
- searching for event-id 3 in the timerange 11:00 - 11:25
- check within the same search for event-ids 1 and 2 in the timerange of 01:00 - 11:00
So, 2 searches in one, but every search has its own timerange and this with tstats summariesonly=true.
I hope I could it explain well.
BR,
Tim
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
