How to search events that occur at least one per day, count as one and number of such counts are 5 or more per one week?

Hello,

Does anybody know how to write a search that find events occur at least one per day and these events count as one and these counts must occur 5 or more times per week.

See http://imageshack.us/photo/my-images/854/5per7.jpg/

Best Regards, C4r7m4n

asked 05 Apr '12, 05:31

C4r7m4n
56●1●5
accept rate: 28%

5 Answers:

oldest newest most voted

Hi @jt_splunk

Thank you for your respond.

I don't know how exactly field <fieldofinterest> or all you have wrote, relate to my search: source="/var/log/alerts_splunk.log" hostname="*" (name="df.*" AND value>99) OR (name="*.var" AND value>95) | stats count by hostname name value | dedup hostname name | sort value desc

I don't quite understand statements: dedup date_wday <fieldofinterest> :( Remove duplicate occur at day of the week?

link

answered 09 Apr '12, 09:33

C4r7m4n
56●1●5
accept rate: 28%

edited 09 Apr '12, 16:39

If I understand correctly, for each day of the week, you only care if an event is present or not. Then, you want to know if that event occurs over the course of 5 days, right? Try this:

source="/var/log/alerts_splunk.log" hostname="" (name="df." AND value>99) OR (name="*.var" AND value>95) | dedup date_wday hostname name | stats count by hostname name value | where count > 4 | sort value desc

(10 Apr '12, 03:33) jt_splunk

0	You will probably have to use a combination of transaction and eval commands. Can you post a sample of your events? That would really help. link answered 05 Apr '12, 08:05 Joetron 1.9k●1●2●12 accept rate: 25%

0	Hello @Joetron What do you mean sample of events? (log?) Below I attached picture: look at link answered 06 Apr '12, 00:09 C4r7m4n 56●1●5 accept rate: 28%

Depending on your dataset, it shouldn't be that hard. Try something like this (modify the dates accordingly):

earliest=3/18/2012:0:0:0 latest=3/23/2012:0:0:0 | dedup date_wday <fieldofinterest> | stats c by <fieldofinterest> | where c > 4

If you want a relative timeframe, make earliest=-7d.

link

answered 06 Apr '12, 02:24

jt_splunk
41●1
accept rate: 14%

edited 06 Apr '12, 02:26

Hello @jt_splunk

The statement: | where count > 4 | sort value desc does not work for me:(

Does where word is not deprecated?

And why do You dedup by date_wday hostanem and name instead only by date_wday

"If I understand correctly, for each day of the week, you only care if an event is present or not" -- correct

"Then, you want to know if that event occurs over the course of 5 days, right?" -- Then I want to know if that event occurs 5 times or more in the week (e.g. Monday, Tuesday, Wednesday, Friday and Sunday: 5 times in the week) (e.g.2 Monday, Tuesday, Wednesday, Thursday, Friday and Sunday: 6 times in the week

Best Regards, C4r7m4n

link

answered 12 Apr '12, 01:33

C4r7m4n
56●1●5
accept rate: 28%

I just verified in 4.3.1 that where is still a current and active search keyword. So "| where count > 4" should work for you. What results are you getting when you use just the where portion?

(12 Apr '12, 01:56) jt_splunk

Hi @jt_splunk

Sorry I made a mistake I wrote count as not count by :(

I will test it and give you respond... ;)

(12 Apr '12, 04:31) C4r7m4n

Hello @jt_splunk

It's working, thx

(12 Apr '12, 23:46) C4r7m4n

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

search ×1,647

Asked: 05 Apr '12, 05:31

Seen: 951 times

Last updated: 12 Apr '12, 23:46

How to search events that occur at least one per day, count as one and number of such counts are 5 or more per one week?

Follow this question

Splunk Resources

Related questions