Splunk Search

Comparing fields with previous events

sudhir_gandhe
Explorer

A logon script generates an event every time a user logs into the desktop. Here are the sample events in Splunk from those events -

user_A;05/10/13 10:15:01 AM;field1="cat";field2="mouse"
user_B;05/10/13 09:01:01 AM;field1="cat";field2="mouse"
user_A;05/09/13 09:05:01 AM;field1="mouse";field2="horse"
user_B;05/09/13 09:01:01 AM;field1="cat";field2="mouse"
user_A;05/08/13 11:05:01 AM;field1="mouse";field2="horse"

I want to be able to generate a report when "field1" changes per user, even compared to the last event. In this case I want a report that lists the event "user_A;05/10/13 10:15:01 AM;field1="cat";field2="mouse". Any help would be appreciated.

Thanks.

Tags (1)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could use streamstats to copy the previous field value into the current event by user, and then do the comparisons and filters you like.

View solution in original post

HeinzWaescher
Motivator

Hi,

I think i have got a similiar problem, which can hopefully be solved with this kind of search.

I want to achieve a timechart, where the count per day is about all unique users who have been active on that day and the day before.

For Instance:

02.01.2013 - 2500 -> this means, that 2500 users have been active on 01.01.2013 and 02.01.013

I'm not 100 % sure about the effects of the streamstats command, but after reading the posts above, my approach would be:

sourcetype=A |bucket _time span=1d| dedup _time,user| sort _time
| streamstats current=f window=1 global=f last(_time) as previous_time by user | eval returning_user=_time-previous_time | where returning_user="86400"| timechart span=1d dc(user)

Is this a correct adjustment to achieve my needed resultt with this kind of search?

Best Regards

Heinz

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could use streamstats to copy the previous field value into the current event by user, and then do the comparisons and filters you like.

sudhir_gandhe
Explorer

Perfect. Thank you very much.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

SQL is an entirely different thing 😛

Using streamstats, you can start like this (untested, don't have splunk for android...):

you base search | streamstats current=f window=1 global=f last(field1) as last_field1 by user | where field1!=last_field1

The streamstats copies the last value into the current event, and the where only keeps those where the value has changed. For reference, take a look at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats in case I mixed up some switch... 🙂

sudhir_gandhe
Explorer

I am not really a SQL guys and havent used streamstats before. Can you help build me this query? Thanks for any help.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...