时间戳

首页 > 解决方案 > Splunk如何解决基于扫描历史的扫描问题?

splunk - Splunk如何解决基于扫描历史的扫描问题?

问题描述

要求是找到 event_A 和 event_B 使得

  1. 前面有事件A,并且event_A的TEXT字段和event_B的TEXT字段第一个字符相同,第二个字符满足条件:

以下是一些示例数据:

_time                           CATEGORY    TYPE    TEXT
2020-12-29T05:20:32.710-0800    ADVISORY    event_B K35JB
2020-12-29T05:37:54.462-0800    ADVISORY    event_B A05KM
2020-12-29T05:57:50.164-0800    ADVISORY    event_B K25CD
2020-12-29T05:59:06.004-0800    ALARM       event_A R20-A
2020-12-29T05:59:24.635-0800    ALARM       event_A K35-E
2020-12-29T05:59:37.200-0800    ALARM       event_A C15
2020-12-29T06:00:24.470-0800    CLEARED     event_A R20-A
2020-12-29T06:00:40.415-0800    CLEARED     event_A K35-E
2020-12-29T06:08:09.945-0800    ADVISORY    event_B R65AG
2020-12-29T06:14:24.740-0800    ADVISORY    event_B K35JB
2020-12-29T06:14:43.988-0800    ADVISORY    event_B K45JB
2020-12-29T06:56:44.642-0800    ADVISORY    event_B A77MD
2020-12-29T06:59:42.745-0800    ADVISORY    event_B C87AB
2020-12-29T07:30:39.080-0800    ADVISORY    event_B M97AF
2020-12-29T08:39:26.008-0800    ADVISORY    event_B K25BA
2020-12-29T09:46:48.175-0800    ADVISORY    event_B C25EG

这是上面示例数据的插图(# 后有注释)

_time                           CATEGORY    TYPE    TEXT
                                                                # all the event_B without event_A before are eliminated
2020-12-29T05:59:06.004-0800    ALARM       event_A R20-A   # expecting event_B with TEXT with prefix Ri where i = 1, 2, 3
2020-12-29T05:59:24.635-0800    ALARM       event_A K35-E   # expecting event_B with TEXT with prefix Ki where i = 2, 3, 4
2020-12-29T05:59:37.200-0800    ALARM       event_A C15     # expecting event_B with TEXT with prefix Ci where i = 0, 1, 2
2020-12-29T06:00:24.470-0800    CLEARED     event_A R20-A   # only expecting event_B with TEXT with prefix Ri where i = 1, 2, 3 with _time < 2020-12-29T06:00:24.470-0800 + 60 minutes
2020-12-29T06:00:40.415-0800    CLEARED     event_A K35-E   # only expecting event_B with TEXT with prefix Ki where i = 2, 3, 4 with _time < 2020-12-29T06:00:40.415-0800 + 60 minutes
2020-12-29T06:08:09.945-0800    ADVISORY    event_B R65AG   # to be eliminated, not expected, as R6 does not match Ri, i=1, 2, 3
2020-12-29T06:14:24.740-0800    ADVISORY    event_B K35JB   # kept, as K3 matched the expected prefix, and within the time windows
2020-12-29T06:14:43.988-0800    ADVISORY    event_B K45JB   # kept, as K4 matched the expected prefix, and within the time windows
2020-12-29T06:56:44.642-0800    ADVISORY    event_B A77MD   # to be eliminated, not expected, as A7 does not match any of the expected prefix
2020-12-29T06:59:42.745-0800    ADVISORY    event_B C87AB   # to be eliminated, not expected, as C8 does not match Ci, i=0, 1, 2
2020-12-29T07:30:39.080-0800    ADVISORY    event_B M97AF   # to be eliminated, not expected, as M9 does not match any of the expected prefix
2020-12-29T08:39:26.008-0800    ADVISORY    event_B K25BA   # to be eliminated, not expected, as its _time is beyond the expected window
2020-12-29T09:46:48.175-0800    ADVISORY    event_B C25EG   # kept, as C2 matched the expected prefix, and there is no time window limit for the prefx C2

我无法用 Splunk 查询找到解决方案。

我只能在只有一个 event_A 期待相应的 event_B 时找到解决方案,使用 streamstats 跟踪唯一一个期待 event_A 的 TEXT 前缀,并使用 _time 扫描令人满意的 event_B,但是一旦有多个 event_A 期待不同的 TEXT前缀和 _time 的,那么我找不到一种方法来记住和执行对多个 event_A 期望的扫描。

使用传统的编程语言,比如 Python,我将跟踪 expecatant 前缀和时间窗口的联合,并根据这种历史状态扫描事件。

你能帮帮我吗!提前致谢!

标签: splunksplunk-query

解决方案

推荐阅读