Splunk Search

time and punct compare entries conditions

cpeteman
Contributor

Currently I am using the search over two hours:

<searchterms> earliest=-2h latest=now() | dedup punct,_time| eval TimeInHour=_time%3600 | rex mode=sed "s/ \d{1,2}:\d{1,2}:\d{1,2}//g" | table _raw,_time,TimeInHour,punct | sort TimeInHour,_raw 

To get results:

       _time               TimeInHour     punct
1   7/31/13 2:00:00.000 PM  0   --_::_)_@@@_________:_[_/_]__@_/()_->---@...@:/__/
2   7/31/13 2:00:00.000 PM  0   --_::_...@:/__/__________://__/-
3   7/31/13 1:00:00.000 PM  0   --_::_...@:/__/__________://__/-
4   7/31/13 1:00:00.000 PM  0   --_::_/()_->---@...@:/__/__________://__/-
5   7/31/13 2:00:00.000 PM  0   --_::_:_---:___-_(_...@)__;____________
6   7/31/13 1:00:00.000 PM  0   --_::_:_---:___-_(_...@)__;____________
7   7/31/13 2:00:00.000 PM  0   --_::_:_---:____-_(_...@)
8   7/31/13 1:00:00.000 PM  0   --_::_:_---:____-_(_...@)
9   7/31/13 2:00:00.000 PM  0   --_::_:_-:______-;________.
10  7/31/13 2:00:00.000 PM  0   --_::_:_::(.::())_---:___,_
11  7/31/13 2:00:00.000 PM  0   --_::_:_::(.::())_@@@_________:_[_/_]__@_/()_->---
12  7/31/13 1:00:00.000 PM  0   --_::_:_::(.::())_@@@_________:_[_/_]__@_/()_->---
13  7/31/13 1:00:00.000 PM  0   --_::_:_::(.::())___,__-,__

I want to do is to only get the results that have the same punct and TimeInHour as an entry in a different hour (different _time):

       _time               TimeInHour     punct
2   7/31/13 2:00:00.000 PM  0   --_::_...@:/__/__________://__/-
3   7/31/13 1:00:00.000 PM  0   --_::_...@:/__/__________://__/-
5   7/31/13 2:00:00.000 PM  0   --_::_:_---:___-_(_...@)__;____________
6   7/31/13 1:00:00.000 PM  0   --_::_:_---:___-_(_...@)__;____________
7   7/31/13 2:00:00.000 PM  0   --_::_:_---:____-_(_...@)
8   7/31/13 1:00:00.000 PM  0   --_::_:_---:____-_(_...@)
11  7/31/13 2:00:00.000 PM  0   --_::_:_::(.::())_@@@_________:_[_/_]__@_/()_->---
12  7/31/13 1:00:00.000 PM  0   --_::_:_::(.::())_@@@_________:_[_/_]__@_/()_->---

I think I need to use a "|search" of some sort. Please help

Tags (3)
0 Karma

kristian_kolb
Ultra Champion

earliest = -2h@h latest=@h | stats dc values(date_hour) by punct | search c=2 | table date_hour punct

you can then sort on what column you like. If you want a more proper timestamp, you can insert bucket _time span=1h before the stats and use _time instead of date_hour.

0 Karma

HiroshiSatoh
Champion

Do you no good in this?

TimeInHour=_time%3600 -> TimeInHour=date_hour
sort TimeInHour,_raw -> sort TimeInHour,punct,_time

0 Karma

HiroshiSatoh
Champion

Excuse me, sir. It was that the wrong answer and not converted time. And what if you only extract multiple data sub-search?

earliest=-2h latest=now()| dedup punct,_time|eval TimeInHour=_time%3600|join [search earliest=-2h latest=now()| dedup punct,_time|eval TimeInHour=_time%3600| stats count by TimeInHour,punct|where count>1] | rex mode=sed "s/ \d{1,2}:\d{1,2}:\d{1,2}//g" | table _raw,_time,TimeInHour,punct | sort TimeInHour,_raw

0 Karma

cpeteman
Contributor

date_hour gives the hour of the day I think. I wanted the seconds of that hour.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...