Splunk Search

help with if-else statement

sarit_s
Communicator

Hello,

I have this query :

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| timechart span=1m count BY eventtype

which gives me results that looks like this :

_time csm-messages-dhcpd-eth1-nosubnet-declared csm-messages-dhcpd-lpf-eth0-listening csm-messages-dhcpd-lpf-eth0-sending csm-messages-dhcpd-send-socket-fallback-net csm-messages-dhcpd-write-zero-leases
2019-08-05 10:24:00 1 1 1 1 1

I have few questions :
1. is there a way to write the query in such way that will return more than 5000 results?
2. how can i check this terms:
If count is not equal for all rules:
Find timestamps of instances that don’t match count
For each unique timestamp from the previous step, alert “CSM DHCP Anomaly” as ”Medium”

thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sarit_s,
I'm not sure that you can satisfy all your needs, anyway:
for the first request use stats instead timechart

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1m _time
| chart count OVER _time BY eventtype

But are you sure to want more than 5000 results? it's very difficoult to read these results!

For the second question the command to use is rare at the end of the search:

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1m _time
| stats count BY _time eventtype
| rare _time eventtype

For the third question you alread have the value but grouped by span, if you want the exact vale, try something like this.

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| stats count BY _time eventtype
| rare _time eventtype

Ciao.
Giuseppe

0 Karma

sarit_s
Communicator

hi, thanks for your answer but it is not what i asked for.. i don't need the percentage of the results..
i need the results as they were in the first query and need to check on the results if there are some raws that don't have same count

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sarit_s,
try this:

index=_internal
| bin span=10m _time
| stats count AS my_count BY source _time showperc=false
| rare source,_time BY my_count
| sort my_count
| head 10

that related to your example is

index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1m _time
| stats count AS my_count BY _time eventtype
| rare _time eventtype By my_count showperc=false
| sort my_count
| head 10

I setted a threeshold of the first 10, but you can choose a different one.
If the most events have the same value, you could use perc to find the different values.

Ciao.
Giuseppe

0 Karma

sarit_s
Communicator

thanks for your answer.. can you please explain how it is answering my question ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sarit_s,
Using this search you have the results grouped for occurrencies, so you can have the values different than the most events, I cannot see any other way to have the differences than the usual value, unless there is a possibility to prevently define the waited value.

Ciao.
Giuseppe

0 Karma

sarit_s
Communicator

i think i did not explain myself well...

let say i have 5 different eventtypes..
each one of them gets count value..
for the example, each one of them gets the value 1..
if the count value of all the eventtypes is equal than all is OK. but if the value is not equal i have to act as written in the question.. so.. if 4 of the eventtypes has the value 1 and one of them has the value 0 than it is not OK. i have to find those rows where there is different between the count value for each time stamp.
after i will find this i have to do the rest of the description in my question..

0 Karma

to4kawa
Ultra Champion
 index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared" 
| bin span=1min _time
| stats count by _time eventtype
0 Karma

sarit_s
Communicator

thanks for your answer but it is not giving the wanted results

0 Karma

to4kawa
Ultra Champion

really?

this display over 5000 rows.

I can't answer Q2 because there is not the detail.

0 Karma

sarit_s
Communicator

Hey,
maybe it display more than 50000 but not the right results 🙂
any way, the main thing is Q2..
i will try to explain it better..
i have 5 eventtypes.. each one of them has count value..
the good scenario is when the count value of all the eventtypes is equal.. so i want to check if this value is equal (for each raw) and if not to do what is written in my question..

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...