- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- searching in 3 specific time periods
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have a sourcetype that have a lot thousands of event each minute so it is very big.
i have a use case that i need to search for specific event in this source type , in some points of time during the night, (22:30-22:40 , 01:30-01:40 , 03:00-03:10).
i have to find all the hosts that have the specific event 3 time at night in this time periods , and i need to check it for the last 7 days (the result i need at the end is count the number of night with 3 occurrence of the event in the last week)
at the first step i am trying to reduce the number of events for this search by searching only for events in this time frame.
i tried to eval new fields with the value of the hour, and filtering base on that field. this is not so good because splunk need to check all the events and then filter them.
what is the best and efficient way to reduce the number of event that are included in my search to only those in the time periods above ?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (add the subsearch to your base search):
index=foo sourcetype=bar [| makeresults | addinfo | eval time=mvrange(info_min_time, info_max_time, 86400) | mvexpand time | eval _time=relative_time(time,"@d") | eval search="(earliest=".relative_time(_time,"+1h+30m")." latest=".relative_time(_time,"+1h+40m").")#(earliest=".relative_time(_time,"+3h")." latest=".relative_time(_time,"+3h+10m").")#(earliest=".relative_time(_time,"+22h+30m")." latest=".relative_time(_time,"+22h+40m").")" | table search | makemv search delim="#" | mvexpand search | format "" "" "" "" "" "" | rex mode=sed field=search "s/\"//g"]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (add the subsearch to your base search):
index=foo sourcetype=bar [| makeresults | addinfo | eval time=mvrange(info_min_time, info_max_time, 86400) | mvexpand time | eval _time=relative_time(time,"@d") | eval search="(earliest=".relative_time(_time,"+1h+30m")." latest=".relative_time(_time,"+1h+40m").")#(earliest=".relative_time(_time,"+3h")." latest=".relative_time(_time,"+3h+10m").")#(earliest=".relative_time(_time,"+22h+30m")." latest=".relative_time(_time,"+22h+40m").")" | table search | makemv search delim="#" | mvexpand search | format "" "" "" "" "" "" | rex mode=sed field=search "s/\"//g"]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly the kind of solution i was looking for, it works great. the only minor change was in the format part where i had to add OR a separator
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any search will have to pull 7 days of data, but should be able to reduce the number of events considered by using a where command. Assuming your events have the date_hour and date_minute fields this may help.
| where ((date_hour=22 AND (date_minute>=30 AND date_minute<=40)) OR
(date_hour=1 AND (date_minute>=30 AND date_minute<=40)) OR
(date_hour=3 AND (date_minute>=0 AND date_minute<=10)))
If this reply helps you, Karma would be appreciated.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
