How to combine events which got generated in a spe...

kranthimutyala · ‎10-06-2022

Hi Team,

Im trying to combine events which are generated in a specific span of 1hr and show the count as 1 instead of the actual count. I tried with a bucket and its clubbing them the count is still not coming to 1.
Irrespective of how many events has been geenrated for a specific condition in a span of 1hr I want to keep it as count 1. Can someone help on how to achieve this .Thanks

ITWhisperer · ‎10-06-2022

Please share the search you have tried to solve this, preferably in a code block (use the </> formatting button)

kranthimutyala · ‎10-07-2022

index = abc Environment = "PROD" ProcessName = "*" LogType = "*" TaskName = "*Main*" (LogLevel=ERROR OR LogLevel=FATAL) | bucket _time span=2h |stats count by _time TaskName

ITWhisperer · ‎10-07-2022

Your stats command is counting the events in the pipeline and creating stats events - try counting these stats events with the same by clause

index = abc Environment = "PROD" ProcessName = "*"  LogType = "*" TaskName = "*Main*" (LogLevel=ERROR OR LogLevel=FATAL) | bucket _time span=2h |stats count by _time TaskName |stats count by _time TaskName

How to combine events which got generated in a specific span?

index

other

source

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!