Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there an alternative command for the timeshift(Sumo logic ) in splunk?

Vikasreddys
Engager
‎07-25-2022 10:42 PM

Hi Everyone,

I need to migrate the report from sumo logic to splunk . In sumo logic report we have time compare option The compare operator allows you to compare current search results with data from a past time period for aggregate searches


For eg : if you wanted to compare the behavior of backfill errors count with the span of 5min of events per hour  along with the timeshift 3min . it gives the count of events for every 5min along with the count at 3 min prior to that events .The compare operator allows you to compare current search results with data from a past time period for aggregate searches


How to achieve this in Splunk ?

Here is the sample sumo logic query 

(_sourceCategory=app (error OR fail*) AND exception)

| "Quote Sequences Error"as ALERT_DESC
| _sourcecategory as SUMO_SOURCE_CATEGORY
| "APP-PROD" as APP_ID
| _sourcehost as APP_SERVER_NAME
| _sourcename as APP_SOURCE_CATEGORY
| _sourcecategory as SUMO_SOURCE_CATEGORY
| timeslice 3m
| count by _timeslice,APP_ID,APP_SERVER_NAME,APP_SOURCE_CATEGORY,SUMO_SOURCE_CATEGORY,ALERT_DESC
| formatDate(_timeslice, "HH:mm:ss:SSS") as EventTime
| if(_count > "100","1",
if(_count > "50","2",
if(_count > "3" and EventTime > "12:00:00" and EventTime < "05:00:00", "4",
if(_count > "3", "3","0")))) as sumo_severity
| format ("%s total errors in the last 3 minutes", _count) as notes
| compare with timeshift 3m
| if (isBlank(sumo_severity_3m) , "0", sumo_severity_3m) as sumo_severity_3m
| where sumo_severity != sumo_severity_3m and !(isblank(sumo_severity))
| sort by _timeslice desc | fields - EventTime, EventTime_3m









 


Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2022 11:14 PM

Hi @Vikasreddys ,

did you already seen this sitehttps://uncoder.io/ to translate Sumo Login Queries in Splunk Searches?

Now, when I'm answering to your question, the service is temporary unavailable so I cannot directly answer, but it will be back soon.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...