Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eval if field value is same in two different events

user93
Communicator
‎06-24-2020 09:18 AM

Hello

How can I return results, for all events, where a field value is the same in two of those events. 

For example, on a website, I want only events were one user viewed two different pages and the events of the page loads are different events. I don't want to specify the users, but rather return all the users that viewed both pages. 

 

<base> page=abcd OR page=1234 AND  (eval if userids are equal)  

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 10:19 AM

That can be done with stats rather than eval.

<base> (page=abcd OR page=1234) 
`comment("Group the unique page names by user")`
| stats values(page) as pages by user
`comment("Filter out the users that only viewed one page")`
| where mvcount(pages) = 2
`comment("Return all the users that viewed both pages")`
| table user

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 10:19 AM

That can be done with stats rather than eval.

<base> (page=abcd OR page=1234) 
`comment("Group the unique page names by user")`
| stats values(page) as pages by user
`comment("Filter out the users that only viewed one page")`
| where mvcount(pages) = 2
`comment("Return all the users that viewed both pages")`
| table user

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

user93
Communicator
‎06-24-2020 11:39 AM

Thanks @richgalloway ! I'm not sure how to upvote in the new UI, but I accepted the solution.  

It works, but I realize I need to further refine. I need for both page visits to have occurred on the same day to be counted as 1.  If someone visits page abcd and two months later page 1234, they are less likely to be related as if they visited both within the same day or the same hour. 

 

Any ideas? 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2020 11:45 AM

You can up-vote a reply by clicking on the thumbs-up icon below it.

Here's an untested update to my query that accounts for the time between page views.

<base> (page=abcd OR page=1234) 
`comment("Group the unique page names by user")`
| stats values(page) as pages, range(_time) as timeSpan by user
`comment("Filter out the users that only viewed one page")`
| where (mvcount(pages) = 2 and (timeSpan <= 3600)
`comment("Return all the users that viewed both pages")`
| table user
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

user93
Communicator
‎06-24-2020 11:58 AM

Thanks again @richgalloway , it works! If I could upvote twice I would 🙂 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...