- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I use a large input in a query?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I use a large input in a query?
I am try to write some query[ies] so that I find user who had done action A AFTER they did action B . the time span is simply too long to use transaction command. Previously when I used to run a query for userid who did action A (the smaller set of the 2), manually make that list into a giant (userid1 OR userid2) and search for users who did action B. This would work when the output from action A was around 10k id. Now I have to do thing same thing, except the the number of user now increase to the hundreds of thousand range too impractical to do the manual approach. I tried using subsearch but that doesn't work well with large input data. can someone suggest a solution that scale well? thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
(index=eventA OR index=eventB) (action="A" OR action="B") | streamstats count(eval(action="A")) AS SessionID BY user | sort SessionID user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry I left out an important part of the question, I need to find the userID of those who did action A AFTER they did action B. your query wont' work. thanks you for your help though
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, try this:
(index=eventA OR index=eventB) (action="A" OR action="B") | streamstats count(eval(action="A")) AS SessionID BY user userID | sort SessionID user userID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried something like this
index=eventA OR index=eventB action=A or action=B | chart count over user by action | where actionA>0 AND actionB>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry I left out an important part of the question, I need to find the userID of those who did action A AFTER they did action B. your query wont' work. thanks you for your help though
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=eventA OR index=eventB action=A or action=B | stats latest(eval(if(action="A", _time, null()))) as a latest(eval(if(action="B", _time, null()))) as b by userid | where a>b
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
