topic Re: Help with diff or eval? in Splunk Search

Help with diff or eval?

tmarlette — Mon, 29 Oct 2012 17:30:04 GMT

I have one search, for one event type, and a second search for a second event type. one is 'user login' and the other is 'user logout', right? Ideally in the search i am trying to create, the result set would be all of the users that have logged in, and that have not logged out.

I tried to use diff, but I don't know if that function is the best to use for this?

I'm still pretty new to Splunk, so please take a look.

My search looks like this:

| join user(subsearch for eventtype 2) | dedup user | table _time,host,user,ip

this seems to give me all of the users that have logged in, and logged out. I'm looking for those that have logged in, and that have NOT logged out. any ideas?

Re: Help with diff or eval?

Ayn — Mon, 29 Oct 2012 17:49:57 GMT

Perhaps transaction would be better suited for your scenario.

You could do something like

eventtype1 OR eventtype2 | transaction user | search eventtype1 AND NOT eventtype2

Re: Help with diff or eval?

tmarlette — Mon, 29 Oct 2012 20:06:05 GMT

I believe it's closer, I think I will still have to fiddle with this to get it right.

Thank you so much! I'm sure ill be back. 😃

Re: Help with diff or eval?

tmarlette — Wed, 17 Apr 2013 15:17:32 GMT

This did work with some more monkeying! Thank you!