×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
pgraf
Observer
Member since: ‎07-06-2021
‎07-06-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-06-2021
Activity Feed
View All

Re: Duration between two events with conditions

by in Splunk Search
‎07-06-2021 01:40 AM
‎07-06-2021 01:40 AM
I've anonymised an SET and UPDATE event which you can see below. To find the related events I'm using the field "AlarmID". Unfortunately, I'm not really having an idea how to properly do it, so I don't have any search for that particular request but I'll past the search I'm using to get duration till clear. Thanks a lot Event Example This is the UPDATE Event ============================================================ Current Date and Time is : Mon Jul 5 17:47:31 CEST 2021 Alarm Notification from XXXXXXXXXX Alarm UPDATEd: UpdateDate: 07/05/2021 UpdateTime: 17:47:31 DeviceType: XXXXXXXXXXX Mtype: XXXXXXXX ModelName: XXXXXXXXXX AlarmID: 6755882 AlarmTitle: Issue with Network Device TTID: INCXXXXXXXX GlobalAlarmID: 12345678-12345678-12344566 Severity: CRITICAL ProbableCauseID: 10009 RepairPerson: AlarmStatus: XXXXXXXXX IPAddress: xx.xx.xx.xx AlarmState: NEW Acknowledged: FALSE UserClearable: FALSE Location: AlarmAge: 0 NotificationData: ProbableCause: Issue with Network Device IfName: XXXXXXXXX IfDesc: XXXXXXXXX IfAlias: XXXXXXXXXX TicketStatus: XXXXXXXXXX CRQ_ID: Maintenance: EnrichmentInfo: Processing_time_00:06:04 ============================================================   This is the SET event ============================================================ Current Date and Time is : Mon Jul 5 17:38:28 CEST 2021 Alarm Notification from XXXXXXXX Alarm SET: SetDate: 07/05/2021 SetTime: 17:38:27 DeviceType: XXXXXXXXXXX Mtype: XXXXXXXXXXX ModelName: XXXXXXXXXXX AlarmID: 6755882 AlarmTitle: Issue with Network Device TTID: GlobalAlarmID: 12345678-12345678-12344566 Severity: CRITICAL ProbableCauseID: 10009 RepairPerson: AlarmStatus: IPAddress: XXXXXXXXXXX AlarmState: NEW Acknowledged: FALSE UserClearable: FALSE Location: AlarmAge: 0 NotificationData: ProbableCause: Issue with Network Device IfName: XXXXXXXXXXX IfDesc: XXXXXXXXXXX IfAlias: XXXXXXXXXXX TicketStatus: CRQ_ID: Maintenance: EnrichmentInfo: ============================================================   Search I'm using for the Clear Case (thats already a drilldown search from a bar chart in which a counting of alarms cleared in a bucket is presented) index=general sourcetype=alarming (Event_Type=SET OR Event_Type=CLEARER) | transaction AlarmID startswith=Event_Type=SET endswith=Event_Type=CLEARED | eval duration_bucket=case(duration<=10, "0-10sec", duration=0, "0sec", duration>10 AND duration<=30, "10-30sec", duration>30 AND duration<=60, "30-60sec", duration>60 AND duration<=120, "60-120sec", duration>120 AND duration<=180, "120-180sec", duration>180 AND duration<=240, "180-240sec", duration>240 AND duration<=300, "240-300sec", duration>300, ">300sec") | search duration_bucket=180-240sec | table _time, DeviceName, AlarmTitle, duration ... View more

Duration between two events with conditions

by in Splunk Search
‎07-06-2021 12:40 AM
‎07-06-2021 12:40 AM
Hi guys Im pretty new to Splunk and do not know how to create the search I need. We are forwarding events from our Faul Monitoring toward Splunk. there are three Type of event having the same fields. The three types are SET, UPDATE and CLEAR. So if an alarm is raised SET is the first event in Splunk afterward if more fields are filled in the monitoring UPDATE events are coming to splunk. Depending on the fault several (n) update events can be there. If the fault is closed the CLEAR event is received by Splunk. At some point the field "TTID" in an update event contains a TTID but all following UPDATES will contain it as well. What I try to achiev is searching for SET AND UPDATE and calculate the duration between the SET and the first UPDATE which is containing *INC* in the TTID field I've created a search to get duration between SET and CLEAR but as UPDATE can be there n-times I do not know how to really get the time between the first UPDATE containing *INC* in the TTID field Thanks a lot for your help ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-06-2021 05:06 AM