Splunk Search

help with query

sarit_s
Communicator

Hello
i have 2 kinds of events - X and Y
and i want to see how many times X+Y happens at the same time and how many times each one of them happens alone
how can i do it ?

thanks

**edit:
this is the flow :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.

Do you think it will be possible to run something like this a single splunk query, and moreso will it be efficient to have nested queries and loops in the same command?

Tags (2)
0 Karma

woodcock
Esteemed Legend

Like this:

 ... | stats count BY XorYfield
| addtotals
0 Karma

sarit_s
Communicator

this is the flow i want :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.
0 Karma

jpolvino
Builder

When you say "at the same time" do you mean they have the same timestamps, or are you looking for processing time overlaps?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sarit_s,
if your events are in indexes X and Y, you could run something like this:

index=X OR index=Y
| stats count BY index
| addcoltotals labelfield=index label="Total"

if your events are in the same index, find a field to divide them (e.g. sourcetype or something else) and use it in stats count command.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...