Splunk Search

Need Help with spl query

807mohd
Explorer

Hello,

I'm trying to achieve a result set which can be used in an alert later on.

Basically when search is executed, its should look for field named "state" and evaluate with its value from two hours ago for the same corresponding record, which is field name "pv_number" and if the value of field did not change between "now" and "two hours ago", capture it as table showing previous state and current state along with previous time and current time.

Any help is greatly appreciated.

Thanks much! 

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

I think streamstats in the title throw volunteers off because it is hard to see how it relates to your requirement, which you describe quite well without SPL.  It would be better if you also illustrate input and desired output.

Here is one way to do what you ask:

 

| index = foo sourcetype = bar earliest=-2h latest=now
| addinfo
| stats earliest(state) as two_hours_ago latest(state) as now by pv_number info_min_time info_max_time
| where two_hours_ago == now
| eval info_min_time = strftime(info_min_time, "%F %T"), info_max_time = strftime(info_max_time, "%F %T")

 

Emulated output without the where filter looks like

pv_numberinfo_min_timeinfo_max_timetwo_hours_agonow
ApplicationUpdateThread2024-10-03 22:44:192024-10-04 00:44:192222
ExecProcessor2024-10-03 22:44:192024-10-04 00:44:194444
HTTPDispatch2024-10-03 22:44:192024-10-04 00:44:192829
SavedSearchFetcher2024-10-03 22:44:192024-10-04 00:44:192727
TcpChannelThread2024-10-03 22:44:192024-10-04 00:44:192133
TelemetryMetricBuffer2024-10-03 22:44:192024-10-04 00:44:193133
indexerPipe2024-10-03 22:44:192024-10-04 00:44:1900
tailreader02024-10-03 22:44:192024-10-04 00:44:194444
webui2024-10-03 22:44:192024-10-04 00:44:192829

With filter, the output is

pv_numberinfo_min_timeinfo_max_timetwo_hours_agonow
ApplicationUpdateThread2024-10-03 22:42:192024-10-04 00:42:192222
ExecProcessor2024-10-03 22:42:192024-10-04 00:42:194242
SavedSearchFetcher2024-10-03 22:42:192024-10-04 00:42:192727
indexerPipe2024-10-03 22:42:192024-10-04 00:42:1900
tailreader02024-10-03 22:42:192024-10-04 00:42:194242

Is this something you are looking for?

The emulation I use to produce mock data is

 

index = _internal earliest=-2h latest=now
| rename thread_name as "pv_number", date_minute as state
``` data emulation above ```

 

 

View solution in original post

yuanliu
SplunkTrust
SplunkTrust

I think streamstats in the title throw volunteers off because it is hard to see how it relates to your requirement, which you describe quite well without SPL.  It would be better if you also illustrate input and desired output.

Here is one way to do what you ask:

 

| index = foo sourcetype = bar earliest=-2h latest=now
| addinfo
| stats earliest(state) as two_hours_ago latest(state) as now by pv_number info_min_time info_max_time
| where two_hours_ago == now
| eval info_min_time = strftime(info_min_time, "%F %T"), info_max_time = strftime(info_max_time, "%F %T")

 

Emulated output without the where filter looks like

pv_numberinfo_min_timeinfo_max_timetwo_hours_agonow
ApplicationUpdateThread2024-10-03 22:44:192024-10-04 00:44:192222
ExecProcessor2024-10-03 22:44:192024-10-04 00:44:194444
HTTPDispatch2024-10-03 22:44:192024-10-04 00:44:192829
SavedSearchFetcher2024-10-03 22:44:192024-10-04 00:44:192727
TcpChannelThread2024-10-03 22:44:192024-10-04 00:44:192133
TelemetryMetricBuffer2024-10-03 22:44:192024-10-04 00:44:193133
indexerPipe2024-10-03 22:44:192024-10-04 00:44:1900
tailreader02024-10-03 22:44:192024-10-04 00:44:194444
webui2024-10-03 22:44:192024-10-04 00:44:192829

With filter, the output is

pv_numberinfo_min_timeinfo_max_timetwo_hours_agonow
ApplicationUpdateThread2024-10-03 22:42:192024-10-04 00:42:192222
ExecProcessor2024-10-03 22:42:192024-10-04 00:42:194242
SavedSearchFetcher2024-10-03 22:42:192024-10-04 00:42:192727
indexerPipe2024-10-03 22:42:192024-10-04 00:42:1900
tailreader02024-10-03 22:42:192024-10-04 00:42:194242

Is this something you are looking for?

The emulation I use to produce mock data is

 

index = _internal earliest=-2h latest=now
| rename thread_name as "pv_number", date_minute as state
``` data emulation above ```

 

 

807mohd
Explorer

Hi yuanliu

Firstly thanks for looking into it and helping with the SPL query.  It was pleasing to see someone responding I felt like I should buy a coffee 🙂
I apologize for my mistake of mentioning streamstats.

I think i did not put my original request properly, let me try again.
so when the search is executed (now), we need data from two point in times, from now and two hours ago.

 

If I'm running a search at 16:05:02,

first set will have data values of pv_number (example ext034)  and "state" value (6) at that point-in-time  (from two hours ago, so 14:05:02)

In the second set of data values,  pv_number (if its still exist in this point of time @ 16:05:02) AND still has "state" value (6), then want to see the table showing pv_number and both times along with previous and current state.

Hope It helps..

0 Karma

yuanliu
SplunkTrust
SplunkTrust

I think my understanding fits your description.  The idea behind my suggested search is:

  1. Search between the two hours.  Find all records that has pv_number. (You can restrict pv_number to a given value but my search assumes that you want to group by pv_number, which is stated in the OP.)
  2. Look for the earliest value of state, and the latest.
  3. Compare earliest value and latest value. Only print those where the two equal.

Have you tried my search?  Also play with my emulation (that should run in any instance), and examine output with and without that where filter.  As my code indicates, I use thread_name to fake pv_number, date_minute to fake state.  They may have different values from your real data, but the principle is the same.

0 Karma

807mohd
Explorer

You are right, I had issues in my raw data. Thanks very much for the help!!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...