Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the previous savedsearch by a given savedsearch from the same user?

splunkrocks2014
Communicator
‎04-10-2017 10:43 AM

I used the following query to get a list of savedsearches by a given user:

index=_internal user="John Doe"  | table _time user savedsearch_name

The results shows as

    _time                     user                  savedsearch_name
    2017-04-10 13:25:48.706 John Doe                savedsearch_xyz
    2017-04-10 13:25:48.625 John Doe                savedsearch_abc
    2017-04-10 13:25:47.314    John Doe                savedsearch_123

I tried to acomplsh is to get the previous savedsearch_name by given the savedsearch as well. For example,

index=_internal user="John Doe"  [sub search] | where  savedsearch_name="savedsearch_xyz"

The expected result looks like the following:

        _time                     user      current_savedsearch_name    previous_savedsearch_name
        2017-04-10 13:25:48.706 John Doe    savedsearch_xyz             savedsearch_abc

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-11-2017 02:28 PM 
 index=_internal user="John Doe"  
 | table _time user savedsearch_name
 | sort 0 _time
 | streamstats current=f last(savedsearch_name) as priorsearch_name by user
 | where  savedsearch_name="savedsearch_xyz"
 | reverse
 | dedup savedsearch_name

...and a run-anywhere data sample ...

| makeresults 
|eval mydata="2017-04-10 13:25:48.706,John Doe,savedsearch_xyz!!!!2017-04-10 13:25:48.625,John Doe,savedsearch_abc!!!!2017-04-10 13:25:47.314,John Doe,savedsearch_123!!!!2017-04-10 13:05:48.706,John Doe,savedsearch_xyz!!!!2017-04-10 13:05:47.314,John Doe,savedsearch_notme"
| makemv delim="!!!!" mydata 
| mvexpand mydata
| makemv delim="," mydata
| eval _time=strptime(mvindex(mydata,0),"%Y-%m-%d %H:%M:%S.%3Q")
| eval user=mvindex(mydata,1)
| eval savedsearch_name=mvindex(mydata,2) 
| table _time user savedsearch_name

 | sort 0 _time
 | streamstats current=f last(savedsearch_name) as priorsearch_name by user
 | where  savedsearch_name="savedsearch_xyz"
 | reverse
 | dedup savedsearch_name

...resulting in ...

_time                    user        savedsearch_name     priorsearch_name
2017-04-10 13:25:48.706  John Doe    savedsearch_xyz      savedsearch_abc

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-11-2017 02:28 PM 
 index=_internal user="John Doe"  
 | table _time user savedsearch_name
 | sort 0 _time
 | streamstats current=f last(savedsearch_name) as priorsearch_name by user
 | where  savedsearch_name="savedsearch_xyz"
 | reverse
 | dedup savedsearch_name

...and a run-anywhere data sample ...

| makeresults 
|eval mydata="2017-04-10 13:25:48.706,John Doe,savedsearch_xyz!!!!2017-04-10 13:25:48.625,John Doe,savedsearch_abc!!!!2017-04-10 13:25:47.314,John Doe,savedsearch_123!!!!2017-04-10 13:05:48.706,John Doe,savedsearch_xyz!!!!2017-04-10 13:05:47.314,John Doe,savedsearch_notme"
| makemv delim="!!!!" mydata 
| mvexpand mydata
| makemv delim="," mydata
| eval _time=strptime(mvindex(mydata,0),"%Y-%m-%d %H:%M:%S.%3Q")
| eval user=mvindex(mydata,1)
| eval savedsearch_name=mvindex(mydata,2) 
| table _time user savedsearch_name

 | sort 0 _time
 | streamstats current=f last(savedsearch_name) as priorsearch_name by user
 | where  savedsearch_name="savedsearch_xyz"
 | reverse
 | dedup savedsearch_name

...resulting in ...

_time                    user        savedsearch_name     priorsearch_name
2017-04-10 13:25:48.706  John Doe    savedsearch_xyz      savedsearch_abc
0 Karma
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎04-13-2017 01:05 PM

Hi Daljeanis, appreciated for your help. This is exactly I am looking for!!!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-10-2017 06:53 PM

Like this:

index=_internal user=* savedsearch_name=*
| dedup _time user savedsearch_name
| streamstats count BY user
| where count<=2

And then either this:

| stats list(*) AS * BY user

Or this (exactly what you asked):

| stats latest(_time) AS _time earliest(savesearch_name) AS previous_savedsearch_name latest(savedsearch_name) AS current_savedsearch_name BY user
0 Karma
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎04-11-2017 08:54 AM

Hi Woodcock, sorry I didn't state clearly from my request. What I tried to accomplish is like this

index=_internal user="John Doe"  [sub search] | where  savedsearch_name="savedsearch_xyz"

I am thinking that the "sub search" is able to get a list of current and previous savedsearches

Thanks,

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-11-2017 11:24 AM

I do not get it at all. Let's skip the how and focus on the what. My answer gives you exactly your stated desire. If that's not really what you need, then do describe exactly what you need and do not get into the weeds of how.

0 Karma
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎04-11-2017 12:32 PM

Thank you, woodcock. I updated my initial request.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-10-2017 12:28 PM

Give this a try

index=_internal user=* savedsearch_name=* | dedup _time user savedsearch_name |table _time user savedsearch_name | dedup 2 user
| stats max(_time) as _time first(savedsearch_name) as current_savedsearch_name last(savedsearch_name) as previous_savedsearch_name by user
0 Karma
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎04-10-2017 03:10 PM

Hi somesoni2, the query returns the same value from current and previous savedsearch names.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎04-10-2017 03:20 PM

If the user runs the same saved search twice in a row, it would have the same name in both places. Remove _time from the first dedup and see if that fixes it.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-10-2017 03:19 PM

How about this?

index=_internal sourcetype=scheduler user=* savedsearch_name=* | dedup user savedsearch_name | dedup 2 user
 | stats max(_time) as _time first(savedsearch_name) as current_savedsearch_name last(savedsearch_name) as previous_savedsearch_name by user
0 Karma
Reply
Solved! Jump to solution

splunkrocks2014
Communicator
‎04-11-2017 08:28 AM

The query works; however, if I wanted to search a specific savedsearch_name and its previous savedsearch_name, the query doesn't work. What I tried to do is like this (of course, my query doesn't work)

index=_internal sourcetype=scheduler user="John Doe"  
| dedup user savedsearch_name 
| dedup 2 user
| stats max(_time) as _time first(savedsearch_name) as current_savedsearch_name last(savedsearch_name) as previous_savedsearch_name by user
| where current_savedsearch_name="savedsearch_xyz"
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...