The slidingTimeWindow() function applies an
aggregation to a moving time-based window of events in a
sequence. It is useful for calculating metrics over a fixed time
period, allowing for time-based trend analysis and data
smoothing.
The difference between slidingTimeWindow()
and window() is that
window() spans multiple buckets and
accumulates events inside the bucket, whereas
slidingTimeWindow() does not use buckets,
but simply accumulates across the incoming events within a
specified span.
Only functions (for example, sum(),
avg(),
count()) that output a single event
can be used in the sub-aggregation because the
slidingTimeWindow() function needs
a single value to add to its running total for each
event.
The window can contain a maximum of 10000 events.
Events must be sorted in order by timestamp. Unordered
or missing timestamps will result in errors.
In this example, the slidingTimeWindow() function
is used with the groupBy() function to detect event
A happening X times before event B within a specific timespan.
The query will detect instances where there are 3 or more failed
attempts followed by a successful attempt, all occurring within a
3-second window.
Note that the slidingTimeWindow() function must be
used after an aggregator function to ensure event ordering. Also note
that the events must be sorted in order by timestamp to prevent errors
when running the query. It is possible to select any field to use as a
timestamp.
Groups the events by a specified key (for example, a user ID or IP
address), then creates a sliding time window of 3 seconds (with a span
of 3 seconds).
Furthermore, it filters all the failed attempts where the field
status contains the value
failure, makes a count of all the failed attempts,
and returns the results in a field named
failures, calculates the
timespan of the failures, retrieves the timestamp of the last failure,
and selects the status of the last event.
logscale
|failures>=3
Filters for windows with 3 or more failures.
logscale
|status="success"
Filters for partitions containing the value success
in the status field.
Event Result set.
Summary and Results
The query is used to detect event A happening X times before event B
within a specific timespan. It looks for instances where there were 3 or
more failed attempts followed by a successful attempt, all occurring
within a 3-second window. Using a sliding time window of 3 seconds,
provides a more precise time constraint compared to the usage of
partition() in
Detect Event A Happening X Times Before Event B.
The query can be used to detect potential brute force attack patterns
within a specific timeframe. Note that the effectiveness of this query
depends on the nature of your data and the typical patterns in your
system.
Sample output from the incoming example data:
key
failures
status
a
5
success
a
7
success
Detect Two Events Occurring in Quick Succession
Detect event B occurring quickly after event A using the slidingTimeWindow() function
In this example, the slidingTimeWindow() function
is used to detect event B occurring quickly after event A.
Note that the slidingTimeWindow() function must be
used after an aggregator function to ensure event ordering. Also note
that the events must be sorted in order by timestamp to prevent errors
when running the query. It is possible to select any field to use as a
timestamp.
Creates a sliding time window of 1 second. Within each window it
counts the occurrences of event A, returning the results in a new
field named countAs, and
selects the event type of the last event in the window.
logscale
|countAs>0
Filters for windows where at least one event A occurred.
logscale
|event="B"
Checks if the last event in the window is event B.
Event Result set.
Summary and Results
The query is used to detect instances where event B occurs quickly
(within 1 second) after event A. The
span parameter
configures the interval, allowing this to be customized.
Sample output from the incoming example data:
countAs
event
@timestamp
1
B
1451606301000
The query is useful for identifying sequences of events that happen in
quick succession, which could indicate specific patterns of behavior or
system interactions.
