Search code examples
splunksplunk-query

Splunk search if host is inactive for more than 5 minutes


I have two specific messages in splunk data that I'm searching for per user.

  • active
  • inactive Anyone know how I can search in splunk for a user that is inactive for more than 5 minutes. I already have the search where it finds the inactive and active messages and a timestamp for each. What I want to do is only return results if the time between those 2 messages was more than 5 minutes per user.

Example:

index="document" (message="inactive" OR message="active") 

Not sure how to work out the time between those two messages based on the timestamp per user ?


Solution

  • Perhaps this will help.

    index="document" (message="inactive" OR message="active")
    ```Create a new field called "duration" that the difference between the last value of _time and the current value```
    | streamstats window=2 range(_time) as duration by user
    ```Show only the active users with duration greater than 5 minutes (300 seconds)```
    | where (message="inactive" AND duration>300)