Solved: Performing a MAP search in a given time window

sheamus69 · ‎09-25-2015

Hi,

I'm trying to create a MAP search to see if Event B triggers within a certain time window of Event A being triggered.

For example:

If a given Windows event on a particular Windows PC triggers at 10:15am, I want to see if a secondary event has triggered on the same PC within a 5 minute window.

I've been able to craft:

index=genericwineventlog eventcode=blah | eval src=ComputerName |map search="search index=genericwineventlog eventcode=DifferentBlah src=$src$" maxsearches=10

Which does work. I need to extract time from the first event to add "earliest=$time$ latest=$time$+1" into the map search, but am failing miserably.

Any suggestions on what I'm doing wrong?

Cheers,
Gareth

somesoni2 · ‎09-25-2015

Give this a try

index=genericwineventlog eventcode=blah | eval src=ComputerName | eval earliest=_time | eval latest=_time+300|map search="search index=genericwineventlog eventcode=DifferentBlah src=$src$ earliest=$earliest$ latest=$latest$" maxsearches=10

View solution in original post

somesoni2 · ‎09-25-2015

Give this a try

index=genericwineventlog eventcode=blah | eval src=ComputerName | eval earliest=_time | eval latest=_time+300|map search="search index=genericwineventlog eventcode=DifferentBlah src=$src$ earliest=$earliest$ latest=$latest$" maxsearches=10

Performing a MAP search in a given time window

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

Performing a MAP search in a given time window

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor