Splunk Search
Highlighted

exclude results near a match (ie exclude match AND +- 2 seconds)

Path Finder

I cant imagine this is possible, but splunk continuously surprises me, so ill ask:

Is there anyway to exclude results, from the same host, + or - 2 seconds from a match.
(or N seconds/minutes)

example, in this image below, id like to exclude the results above and below the match on the ip address 68.x.x.x ?
(this is just an example, i know i could get to my goal in this case by just showing IP matches, and investigating any IPs not on a known good IP lookup csv)

alt text

thanks

0 Karma
Highlighted

Re: exclude results near a match (ie exclude match AND +- 2 seconds)

Path Finder

You can use the bin command to group your data into your desired time-span and then do a distinct count on the ip.
Something like

index=_internal | bin _time span=5s | stats dc(clientip)

0 Karma