×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mahesh21894
New Member
Member since: ‎05-26-2023
‎05-31-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-26-2023
Activity Feed
View All

Re: Splunk query for bayesian check

by in Splunk Search
‎05-31-2023 02:57 PM
‎05-31-2023 02:57 PM
Apologies for not posting query clearly, i was little confused with my usecase & new to splunk as well. Here is the quick description of use case: I would like to flag a splunk record(X) when there exists certain splunk record(Y) in +15mins(future) w.r.t event  time of X. This is to filter out some false positives in logs. Looks like  -> append accumulates results -> and doesn't run a subsearch for every event faced in outer query. So it felt like i need a map instead of append, below is a sample query: <common_search> "Inconsistency with item=*, on Date=*" | eval pid=itemId, dt=ItemDate, a_latest=_time+900, a_earliest=_time | map maxsearches=20000 search='search  earliest=\"$a_earliest$\" latest=\"$a_latest$\"<common_search>  \"consistent with item=$pid$, on Date=$Dt$\" | stats count | eval isThereAEventBefore=if(count>0, 1, 0)' | eventstats values(isThereAEventAfter) as isThereAEventAfter common_search:- index=.. splunk_server_group=.. sourcetype=.. host="*beta*" source="<path>" Notes: -> As i don't future logs handy yet, i was looking back on a random log by hardcoding it in subsearch. -> My query seems to be going into queue & after sometime, i get 0 matches. Though i need in future, currently i am checking back in time _time-900. Can i assume it works similarly for future time as well _time+900 could you please help me if i framed query in right fashion w.r.t my use case ? & why its still gives no matches? ... View more

Splunk query for bayesian check- Why am I getting ...

by in Splunk Search
‎05-26-2023 10:04 AM
‎05-26-2023 10:04 AM
I am trying to refine search based on a sub query, where sub query is not a filter of outer query. I need to check if certain event happend in the past time(which is different from outer query). Say current logline is :  "Timestamp 9am Log:Info found x=2$ on day1" I want to search something like this: app=my-app "found x=2$ on day1"  | eval isThereAEventBefore=(subQuery greater than 0, 1, 0) replace subQuery with:  (app=my-app "found x=*$ on day1 earliest=-1h" | stats count)   When i tried to write this query, i s: Error in 'eval' command: The expression is malformed. Expected ).   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-31-2023 06:18 PM