Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval if field value is same in two different events

user93
Communicator
‎06-24-2020 09:18 AM

Hello

How can I return results, for all events, where a field value is the same in two of those events. 

For example, on a website, I want only events were one user viewed two different pages and the events of the page loads are different events. I don't want to specify the users, but rather return all the users that viewed both pages. 

 

<base> page=abcd OR page=1234 AND  (eval if userids are equal)  

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 10:19 AM

That can be done with stats rather than eval.

<base> (page=abcd OR page=1234) 
`comment("Group the unique page names by user")`
| stats values(page) as pages by user
`comment("Filter out the users that only viewed one page")`
| where mvcount(pages) = 2
`comment("Return all the users that viewed both pages")`
| table user

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 10:19 AM

That can be done with stats rather than eval.

<base> (page=abcd OR page=1234) 
`comment("Group the unique page names by user")`
| stats values(page) as pages by user
`comment("Filter out the users that only viewed one page")`
| where mvcount(pages) = 2
`comment("Return all the users that viewed both pages")`
| table user

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

user93
Communicator
‎06-24-2020 11:39 AM

Thanks @richgalloway ! I'm not sure how to upvote in the new UI, but I accepted the solution.  

It works, but I realize I need to further refine. I need for both page visits to have occurred on the same day to be counted as 1.  If someone visits page abcd and two months later page 1234, they are less likely to be related as if they visited both within the same day or the same hour. 

 

Any ideas? 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 11:45 AM

You can up-vote a reply by clicking on the thumbs-up icon below it.

Here's an untested update to my query that accounts for the time between page views.

<base> (page=abcd OR page=1234) 
`comment("Group the unique page names by user")`
| stats values(page) as pages, range(_time) as timeSpan by user
`comment("Filter out the users that only viewed one page")`
| where (mvcount(pages) = 2 and (timeSpan <= 3600)
`comment("Return all the users that viewed both pages")`
| table user
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

user93
Communicator
‎06-24-2020 11:58 AM

Thanks again @richgalloway , it works! If I could upvote twice I would 🙂 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...