Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ignore if a certain string is present in the next X min

grasshopper_
Loves-to-Learn
‎06-23-2021 08:57 AM

Hi, 

I am working on a search that looks for instances of "string1", but only those that are not followed by instances of "string2" in X minutes of time. The search runs once every 24hrs and should produce a total count of the instances found.

I am trying to search with bin command.

| index=x

| search "string1" NOT "string2"

| bin _time span=5min

The problem is that this search looks for 5min in the past, as well as 5min in the future. So if "string2" is present within -5min from "string1",  that instance does not get counted, and it should be. It should only be excluded if "string2" is after  "string1".

Many Thanks

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-23-2021 10:21 AM

Try something along these lines - I have used dummy data at 10 minute intervals over a day and looked for string1 which wasn't followed by string2 within an hour, but you should be able to adapt for your usecase.

| gentimes start=-1 increment=10m | rename starttime as _time | fields - endhuman endtime starthuman
| eval field="string".random()%10



| sort 0 -_time
| eval found2=if(field="string2",_time,null())
| streamstats last(found2) as found2
| eval diff=if(field="string1",found2-_time,null())
| where field="string1" AND diff>3600
0 Karma
Reply

grasshopper_
Loves-to-Learn
‎06-24-2021 08:06 AM

 I keep adapting it. If you wanted to make sure that string1 and string2 are from the same host, at what point would you put that? Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-24-2021 08:17 AM 
| gentimes start=-1 increment=10m | rename starttime as _time | fields - endhuman endtime starthuman
| eval field="string".random()%10
| eval host="host".mvindex(split("ABC",""),random()%3)



| sort 0 -_time
| eval found2=if(field="string2",_time,null())
| streamstats last(found2) as found2 by host
| eval diff=if(field="string1",found2-_time,null())
| where field="string1" AND diff>3600
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...