Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare _time of 2 events

g_paternicola
Path Finder
‎05-17-2021 01:45 AM

Hi everyone,

I have two event:

first event with the event_name=LOGIN
second event with event_name LOGOUT

I need to get only events with event_name=LOGIN, but only if the event_name=LOGIN time is newer then the event_name LOGOUT

Is there a possibility to do so? Thank you very much for helping me!

Labels (3)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aasabatini
Motivator
‎05-17-2021 02:17 AM

@g_paternicola 

sorry man I forgot the double quotes 😅

| eval time_login=if(event_name="LOGIN",_time,"")
| eval time_logout=if(event_name="LOGOUT",_time,"")
| where time_login > time_logout

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

g_paternicola
Path Finder
‎05-17-2021 02:06 AM

Hi Alessandro

Thank you for your search,  unfortunately, I do not get any data back... 
This is the time I will get:

g_paternicola_0-1621242316369.png

I this case, logout is newer then login, so I should not get any data back...



0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎05-17-2021 01:59 AM

Hi @g_paternicola 

I'm not sure if I understand but try this:

| eval time_login=if(event_name=LOGIN,_time,"")
| eval time_logout=if(event_name=LOGOUT,_time,"")
| where time_login > time_logout

If I missed the point please give more details

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎05-17-2021 02:10 AM

Hi @g_paternicola 

please show me the result of this search

| eval time_login=if(event_name=LOGIN,_time,"")
| eval time_logout=if(event_name=LOGOUT,_time,"")
| tale event_name time_login time_logout

 event_name=LOGIN newer than event_logout do you mean more recent?

thanks in advance

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Solved! Jump to solution

g_paternicola
Path Finder
‎05-17-2021 02:14 AM

Yes, with newer I mean more recent:
I will get this result:



Preview file
39 KB
0 Karma
Reply
Solved! Jump to solution
Solution

aasabatini
Motivator
‎05-17-2021 02:17 AM

@g_paternicola 

sorry man I forgot the double quotes 😅

| eval time_login=if(event_name="LOGIN",_time,"")
| eval time_logout=if(event_name="LOGOUT",_time,"")
| where time_login > time_logout

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Tags (1)
Reply
Solved! Jump to solution

g_paternicola
Path Finder
‎05-17-2021 02:19 AM

It works now... Grazie!

0 Karma
Reply
Solved! Jump to solution

aasabatini
Motivator
‎05-17-2021 02:37 AM

@g_paternicola  Prego!

if works please accept the solution

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...