Splunk Search

What is the best was to identify the outage window in one search?

dolj
Explorer

is there a best practice search to find the last event sent at the start of an outage and the first event the come in after the outage for a specific data source was rectified? Basically what is the best was to identify the outage window in one search?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dolj,

if you want to find the time borders of a search you can use "addinfo" (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Addinfo).

If instead you want to display the first and the last event, you can use stats and the options "first" and "last", something like this:

your_search
| stats first(_raw) AS first last(_raw) AS last 

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...