- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: transaction that ends if a certain value chang...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'am sure there was already someone that had this problem and there is probably a answer right in front of me. But with all the effort reading trough splunk answer I couldn't find a proper solution.
My Log file:
12:00:00 name=SENSOR1 value=true
12:02:00 name=SENSOR1 value=true
12:03:00 name=SENSOR1 value=true
12:04:00 name=SENSOR1 value=false
12:05:00 name=SENSOR1 value=false
12:10:00 name=SENSOR1 value=false
12:11:00 name=SENSOR1 value=true
12:12:00 name=SENSOR1 value=true
12:13:00 name=SENSOR1 value=true
12:14:00 name=SENSOR1 value=true
12:15:00 name=SENSOR1 value=false
What I would like to have as e result:
12:00:00 name=SENSOR1 value=true duration=240
12:04:00 name=SENSOR1 value=false duration=420
12:11:00 name=SENSOR1 value=true duration=240
My Current Search :
value=true | transaction value, name maxpause=140s |append [search value=false | transcation value, name maxpause=140s]
Which gives me
12:00:00 name=SENSOR1 value=true duration=180
12:04:00 name=SENSOR1 value=false duration=60
12:10:00 name=SENSOR1 value=false duration=0
12:11:00 name=SENSOR1 value=true duration=180
So I know the Problem I have is the maxpause, how can I handle that problem ? If I'am increasing the maxpause it will combine events that shouldn't be together. But I still would like to have one event for as this is in my case one transaction, and it's possible that a sensor doesn't send regularly a status value.
any help or link to a already answered question would be nice
Christian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try to use streamstats.
| makeresults |eval data="time=12:00:00 name=SENSOR1 value=true, time=12:02:00 name=SENSOR1 value=true,time=12:03:00 name=SENSOR1 value=true,time=12:04:00 name=SENSOR1 value=false,time=12:05:00 name=SENSOR1 value=false,time=12:10:00 name=SENSOR1 value=false,time=12:11:00 name=SENSOR1 value=true,time=12:12:00 name=SENSOR1 value=true,time=12:13:00 name=SENSOR1 value=true,time=12:14:00 name=SENSOR1 value=true,time=12:15:00 name=SENSOR1 value=false"|makemv data delim="," |mvexpand data|rename data as _raw|kv|convert auto(time) as _time|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Streamstats
adding something along the lines of:
|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime
might help. might need a little adjusting, though
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope it helps,
your search | eval _raw = _raw."#" | transaction value, name maxpause=140s | eventstats values(_raw) by duration | eval _raw = split(_raw,"#") | table _raw duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks but I think the problem will resists as, the maxpause is still making sure that after 140s no event receives, a new transaction is started.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try to use streamstats.
| makeresults |eval data="time=12:00:00 name=SENSOR1 value=true, time=12:02:00 name=SENSOR1 value=true,time=12:03:00 name=SENSOR1 value=true,time=12:04:00 name=SENSOR1 value=false,time=12:05:00 name=SENSOR1 value=false,time=12:10:00 name=SENSOR1 value=false,time=12:11:00 name=SENSOR1 value=true,time=12:12:00 name=SENSOR1 value=true,time=12:13:00 name=SENSOR1 value=true,time=12:14:00 name=SENSOR1 value=true,time=12:15:00 name=SENSOR1 value=false"|makemv data delim="," |mvexpand data|rename data as _raw|kv|convert auto(time) as _time|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime
http://docs.splunk.com/Documentation/SplunkCloud/6.6.0/SearchReference/Streamstats
adding something along the lines of:
|sort 0 - _time name|streamstats window=1 current=f values(_time) as nextTime values(value) as nextValue values(name) as nextName|sort 0 _time name|streamstats earliest(_time) as sessionTime by name value reset_on_change=t|eval duration=nextTime-_time|stats sum(duration) as duration by sessionTime
might help. might need a little adjusting, though
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will try this, a give feedback. At the first glance it looks pretty good for me.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
