Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can someone help me with stats dc with subsearch?

cbrbkrm
Loves-to-Learn
‎11-16-2022 01:49 AM
Let's say we have couple of fields in our dataset (called my_dataset) : event_time, event_type, user, field1 and field2. Now, we want to make a search that:
distinct count of field1>X OR distinct count of field2>Y happen within Z minutes from when a specific event_type (let's call that value type1) happens for the first time.
In other words, this search counts number of different field1 or field2 unique values within Z minutes from first type1 (but it searches all event_type values when counting field1 and field2").

I tried:
| tstats 
...
from datamodel=my_dataset
groupby _time

| eval
detection_time_end=strftime((relative_time(event_time,"+`Z`")), "%F %T.%Q"),
only_type1=if((event_type="type1"),1,null)

| stats
earliest(event_time) as earliest_time,
earliest(detection_time_end) as end_of_detection_time,
dc(field1) as number_of_different_field1_events,
dc(field2) as number_of_different_field2_events,
by user, only_type1
This only takes me so far and I'm not sure what to do next. I get statistics of earliest time and end of detection time of type1 per user with total distinct counts of field1 and field2 events.

I guess I have to use subsearch here? Any help is appreciated here since I got really stuck with this one. Thanks!
Labels (3)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-18-2022 12:56 AM

I'll take a more literal approach, like

field1 > X OR field2 > Y
| append
    [| tstats min(_time) as first_time where event_type = "type1"] ``` this assumes event_type is indexed - can be more sophisticated if this is not true ```
| eventstats values(first_time) as first_type1 ``` just to populate first_type1 ```
| where first_type1 < event_time and event_time < relative_time(first_type1, "+" . Z . "min")
| stats dc(field1) as number_of_different_field1_events,
 dc(field2) as number_of_different_field2_events
 by user

Obviously, where the "first" type1 event occurs is dependent on the actual search window.  The above assumes that event_type is indexed, although if you cannot use tstats, you can still use a search to do the same.

There must be a way to not even use subsearch because data is already available in the main search.  I just haven't seen it.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...