https://community.splunk.com/t5/Splunk-Search/How-to-search-for-requests-from-the-same-source-that-happen/m-p/504540#M140894 <P>Maybe start with something like</P><LI-CODE lang="markup">base search | streamstats time_window=100ms values(*) as * by user</LI-CODE><P>where the field 'user' is your username field, but at this point, it very much depends on what you want to do with that data</P><P>&nbsp;</P> Tue, 16 Jun 2020 06:25:25 GMT bowesmana 2020-06-16T06:25:25Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-requests-from-the-same-source-that-happen/m-p/503620#M140581 <P>Greetings,</P><P>I need to search for requests from the same username that occur within certain time interval, say, less than 100ms and output various request attributes. How can the query be constructed to extract such requests?</P><P>Thanks in advance</P> Tue, 09 Jun 2020 20:14:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-requests-from-the-same-source-that-happen/m-p/503620#M140581 passogiau 2020-06-09T20:14:59Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-requests-from-the-same-source-that-happen/m-p/504540#M140894 <P>Maybe start with something like</P><LI-CODE lang="markup">base search | streamstats time_window=100ms values(*) as * by user</LI-CODE><P>where the field 'user' is your username field, but at this point, it very much depends on what you want to do with that data</P><P>&nbsp;</P> Tue, 16 Jun 2020 06:25:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-requests-from-the-same-source-that-happen/m-p/504540#M140894 bowesmana 2020-06-16T06:25:25Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-requests-from-the-same-source-that-happen/m-p/504720#M140961 <P>That's a very good start,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>.&nbsp; Two additions...&nbsp;</P><P>1) As a practice, we always include in the pseudocode a <STRONG>fields</STRONG> command to limit the junk and speed the search. If beginners learn that strategy early on, it will save them centuries of machine time.&nbsp; When doing <STRONG>values(*) as *</STRONG>, it's especially important.</P><P>2) <STRONG>streamstats</STRONG> is finicky with <STRONG>time_window</STRONG>, so if we're doing anything complicated, then we usually include a <STRONG>sort 0</STRONG>&nbsp;to explicitly validate the event order right before the <STRONG>streamstats</STRONG>.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="css">base search | fields _time user ... the exact fields that you want to know about ... | sort 0 _time user | streamstats time_window=101ms values(*) as * by user</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I gave it 1 extra ms, since I can never remember whether <STRONG>streamstats</STRONG> is inclusive or exclusive, and with ms it might matter.&nbsp;</P><P>&nbsp;</P> Wed, 17 Jun 2020 02:29:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-requests-from-the-same-source-that-happen/m-p/504720#M140961 DalJeanis 2020-06-17T02:29:51Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-requests-from-the-same-source-that-happen/m-p/504731#M140963 <P>Good point <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/203121">@DalJeanis</a>&nbsp;about the wildcards - you're right, that particular construct is not something you're ever likely to want to do on _raw data given all the additional fields you'd collect on the way, so worth pointing out.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Jun 2020 05:23:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-requests-from-the-same-source-that-happen/m-p/504731#M140963 bowesmana 2020-06-17T05:23:59Z