https://community.splunk.com/t5/Splunk-Search/How-to-find-the-most-recent-event-for-a-user-preceding-some/m-p/43805#M10314 <P>Thanks for the answer, but could you offer any more detail please as I'm still not clear how I would do that? E.g. suppose in a very simple example I have</P> <UL> <LI>userid 1, eventtype A</LI> <LI>...</LI> <LI>userid 2, eventtype B</LI> <LI>...</LI> <LI>userid 1, eventtype "Exception"</LI> <LI>...</LI> <LI>userid 1, eventtype C</LI> <LI>...</LI> <LI>userid 1, eventtype "Exception"</LI> <LI>...</LI> <LI>userid 2, eventtype "Exception"</LI> </UL> <P>Here I'd want to see that 1/3 of the time the preceding event was A, 1/3 of the time it was B and 1/3 of the time it was C...</P> Wed, 27 Feb 2013 06:37:31 GMT MatMeredith 2013-02-27T06:37:31Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-most-recent-event-for-a-user-preceding-some/m-p/43803#M10312 <P>I have a set of user activity logs, each of which identifies an event-type and a user-id. One possible event-type is "Exception" and when a user hits an "Exception" I want to know what other event type most commonly precedes it for the user. Specifically I'd like a table that shows me how often the most recent previous event is X, Y, Z etc.</P> <P>I'm struggling to see how to do this. Can anyone help please?</P> <P>Many thanks!</P> Tue, 26 Feb 2013 12:06:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-most-recent-event-for-a-user-preceding-some/m-p/43803#M10312 MatMeredith 2013-02-26T12:06:35Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-most-recent-event-for-a-user-preceding-some/m-p/43804#M10313 <P>You could use streamstats to append the previous event to the current event, and then use that to build your table.</P> Tue, 26 Feb 2013 14:44:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-most-recent-event-for-a-user-preceding-some/m-p/43804#M10313 martin_mueller 2013-02-26T14:44:57Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-most-recent-event-for-a-user-preceding-some/m-p/43805#M10314 <P>Thanks for the answer, but could you offer any more detail please as I'm still not clear how I would do that? E.g. suppose in a very simple example I have</P> <UL> <LI>userid 1, eventtype A</LI> <LI>...</LI> <LI>userid 2, eventtype B</LI> <LI>...</LI> <LI>userid 1, eventtype "Exception"</LI> <LI>...</LI> <LI>userid 1, eventtype C</LI> <LI>...</LI> <LI>userid 1, eventtype "Exception"</LI> <LI>...</LI> <LI>userid 2, eventtype "Exception"</LI> </UL> <P>Here I'd want to see that 1/3 of the time the preceding event was A, 1/3 of the time it was B and 1/3 of the time it was C...</P> Wed, 27 Feb 2013 06:37:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-most-recent-event-for-a-user-preceding-some/m-p/43805#M10314 MatMeredith 2013-02-27T06:37:31Z https://community.splunk.com/t5/Splunk-Search/How-to-find-the-most-recent-event-for-a-user-preceding-some/m-p/43806#M10315 <P>Try something like this:</P> <PRE><CODE>... | streamstats current=f window=1 last(eventtype) as other_eventtype by userid </CODE></PRE> Wed, 27 Feb 2013 08:25:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-most-recent-event-for-a-user-preceding-some/m-p/43806#M10315 martin_mueller 2013-02-27T08:25:15Z