Splunk Search

if there is no data for next 3 minutes we need to consider severity as normal with starttime, endtime


we are getting severity medium and high data with time into splunk. normal data not sending into splunk. if there is no data for next 3 minutes we need to consider that severity as normal with start time and end time(end_time=till next severity(high or medium) start time). need to show severity start time and end time when severity changes from normal to medium, medium to high, high to normal.

sample data:

12/11/2020 09:24:46:00 severity: high

12/11/2020 10:24:46:00 severity: medium

12/11/2020 12:34:46:00 severity: medium

12/11/2020 14:44:46:00 severity: high



severity=high start_time=12/11/2020 09:24:46:00 end_time=12/11/2020 09:27:46:00

severity=normal start_time=12/11/2020 09:27:46:00 end_time=12/11/2020 10:24:46:00

severity=medium start_time=12/11/2020 10:24:46:00 end_time=12/11/2020 10:27:46:00 

severity=normal start_time=12/11/2020 10:27:46:00 end_time=12/11/2020 12:34:46:00

severity=medium start_time=12/11/2020 12:34:46:00 end_time=12/11/2020 12:37:46:00

severity=normal start_time=12/11/2020 12:37:46:00 end_time=12/11/2020 14:44:46:00

severity=high start_time=12/11/2020 14:44:46:00 end_time=12/11/2020 14:47:46:00

severity=normal start_time=12/11/2020 14:47:46:00 end_time=12/11/2020 23:59:59:00

 i just tried to adding 3minutes time to the "_time" by using "eval time=_time+180". now am getting next 3minutes as time. end time also will get by using "| streamstats last(_time) as end_time".but how to add the severity to that next 3mins time. 




Labels (1)
0 Karma


I'm not sure that question is quite clear enough to answer.  It feels like you started this explanation in the middle, then forgot to finish it.

I get a glimmer that maybe you want a way to perhaps have your time segments chopped up into a maximum of 3 minute chunks to make things reset back to normal regularly, but I don't know to what you are referring to when you say "green" (and it's probably not important)

Your output doesn't seem to be directly related to the two events you included?  There's some minor match on a bit of them, but not enough to see what it is you want to have happen.

This is OK, though - we just need a bit more information!

So what I recommend:

Think through this problem from our point of view.  What is it that *we* need to know in order to answer this question? Remember, we don't know your environment, the dashboards you are looking at (I think that's where "green" comes in) or what this data is like except what you tell us of it.  But most of that probably isn't important anyway except the data itself, and the desired output!

Did you provide a sample set of data that's "big enough" to illustrate the situations you need to cover (I'd guess that would take 5 to 20 events - please use the code button to paste them in so they're more compact and we can isolate them easily)?

Does your expected output match (mostly, anyway) the sample data you presented?  Is it clear *how* it's related, and how we come to the output (not SPL-wise, but I mean, did you explain it clearly?)

Do you have a start at a search, what have you tried already, what wasn't right about it?

I have found that asking the question well takes time - many minutes (an hour isn't unusual!) of reviewing what it is you have, what it is you are after, and what you've tried so far.  In the process, often you solve your own problem by just doing this and breaking it down into all the little pieces and putting them back together.   But when you can't answer it with this process, you then have all the information to ask a precise, well thought out question that we can answer quickly and accurately.


0 Karma


Hi @Richfez , edited the question. Please check and let me know still it's not clear.



0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...