https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46143#M11026 <P>@Martin_mueller, thanks. Streamstats is cool. I don't know this command before but I managed to generate unique event using DEDUP. My actual question is actually what command should I use after having unique event:</P> <P>How to list those where the first is a failure and the second is a success<BR /> and the number of unique users having this sequence?</P> Sat, 25 May 2013 19:16:18 GMT fayedong 2013-05-25T19:16:18Z https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46141#M11024 <P>Hi everybody,</P> <P>I am new to Splunk. I have a question about Splunk query.</P> <P>Here are some sample logs (timestamp ordered) which record users' success attempts and failure attempts:</P> <P>TimeStamp UserName Status<BR /> t7 UserA success<BR /> t6 UserA failure<BR /> t5 UserB success<BR /> t4 UserC failure<BR /> t3 UserC success<BR /> t2 UserD failure<BR /> t1 UserE success</P> <P>My question is what should the query like if I want to find out users whose first attempt failed and then second attempt succeeded? .</P> <P>Thanks.</P> Sat, 25 May 2013 04:38:47 GMT https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46141#M11024 fayedong 2013-05-25T04:38:47Z https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46142#M11025 <P>For analysing relationships between events you often need streamstats. For example, appending this</P> <PRE><CODE>streamstats count by UserName </CODE></PRE> <P>will give you a unique numbering of events per user. After that you could filter for those where the first is a failure and the second is a success.</P> Sat, 25 May 2013 18:27:35 GMT https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46142#M11025 martin_mueller 2013-05-25T18:27:35Z https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46143#M11026 <P>@Martin_mueller, thanks. Streamstats is cool. I don't know this command before but I managed to generate unique event using DEDUP. My actual question is actually what command should I use after having unique event:</P> <P>How to list those where the first is a failure and the second is a success<BR /> and the number of unique users having this sequence?</P> Sat, 25 May 2013 19:16:18 GMT https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46143#M11026 fayedong 2013-05-25T19:16:18Z https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46144#M11027 <P>Thanks, martin_mueller. My question actually is : how to filter for those where the first is a failure and the second is a success? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sat, 25 May 2013 19:17:58 GMT https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46144#M11027 fayedong 2013-05-25T19:17:58Z https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46145#M11028 <P>After counting them, you could filter like this:</P> <PRE><CODE>where (Status="failure" AND count=1) OR (Status="success" AND count=2) | eventstats count by UserName | where count=2 </CODE></PRE> <P>That'll first filter for only those events where the first attempt is a failure and the second attempt is a success, then counts by username and only keeps those that have both attempts - ie filters out two failures or two successes.</P> <P>I'm not sure whether that's what you need though - what goal are you trying to achieve?</P> Sat, 25 May 2013 19:38:53 GMT https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46145#M11028 martin_mueller 2013-05-25T19:38:53Z https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46146#M11029 <P>stats first(Status) as Status1 last(Status) as Status2 by UserName | search Status1="Success" AND Status2="Failure" </P> Sat, 25 May 2013 20:41:01 GMT https://community.splunk.com/t5/Splunk-Search/Sequential-event-mining/m-p/46146#M11029 fayedong 2013-05-25T20:41:01Z