https://community.splunk.com/t5/Splunk-Search/How-to-group-together-events-based-on-their-relative-distance-in/m-p/191413#M55115 <P>The transaction command did it. Though I will say it adds a LOT of overhead and makes some of our searches impossible over more than a few minutes. It does however do the same as the above initial search AND ensures they all happened within 1 second of each other.</P> <P>I can now say "Someone logged into 3 different servers within one second, and here is your single alert showing you so".</P> <P>sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03" | transaction fields="HostName" maxspan=1s | eval UniqueServers=mvcount(login_server) | where UniqueServers &gt; 1</P> Mon, 28 Sep 2020 16:51:32 GMT thisissplunk 2020-09-28T16:51:32Z https://community.splunk.com/t5/Splunk-Search/How-to-group-together-events-based-on-their-relative-distance-in/m-p/191411#M55113 <P>Hello All,</P> <P>I'm trying to figure out how to group certain events together if they happen within 1 second of each other's relative _time (they happened &lt;= one second from each other).</P> <P>Current search as an example example:</P> <PRE><CODE>sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03" | stats values(login_server) count(login_server) AS UniqueEventCount dc(login_server) AS UniqueServerCount by HostName, User | sort -UniqueServerCount | where UniqueServerCount &gt; 1 </CODE></PRE> <P>What the above answers is: "Show me the events where a host and user name logs into two or more different login servers". What I need to add is that I only want to show events that log into two or more login servers within 1 second of each other.</P> <P>Bucket does not do this as two events can fall within 1 second of each other, but not fall into the same one second buckets markers.</P> <P>Any ideas?</P> Fri, 06 Jun 2014 18:21:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-together-events-based-on-their-relative-distance-in/m-p/191411#M55113 thisissplunk 2014-06-06T18:21:44Z https://community.splunk.com/t5/Splunk-Search/How-to-group-together-events-based-on-their-relative-distance-in/m-p/191412#M55114 <P>Hi thisissplunk,</P> <P>Maybe you can use the "transaction" command. Using a "| transaction login_server maxspan=1s". This way you will group all the events with the login_server that are equal withing 1 second max difference between events.</P> <P>Hope this helps!</P> Mon, 28 Sep 2020 16:48:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-together-events-based-on-their-relative-distance-in/m-p/191412#M55114 gfreitas 2020-09-28T16:48:49Z https://community.splunk.com/t5/Splunk-Search/How-to-group-together-events-based-on-their-relative-distance-in/m-p/191413#M55115 <P>The transaction command did it. Though I will say it adds a LOT of overhead and makes some of our searches impossible over more than a few minutes. It does however do the same as the above initial search AND ensures they all happened within 1 second of each other.</P> <P>I can now say "Someone logged into 3 different servers within one second, and here is your single alert showing you so".</P> <P>sourcetype=logins login_server="server_01" login_server="server_02" login_server="server_03" | transaction fields="HostName" maxspan=1s | eval UniqueServers=mvcount(login_server) | where UniqueServers &gt; 1</P> Mon, 28 Sep 2020 16:51:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-together-events-based-on-their-relative-distance-in/m-p/191413#M55115 thisissplunk 2020-09-28T16:51:32Z