Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract common user who encounters different values for the same field over time

BoGiulio
New Member
‎06-21-2018 02:01 AM

Hello, Splunk noob here. I'd like to find in my index users who encounters an error during a phase of a process but later, for the same phase, are able to succeed. So it would be something like this:

User=A phase="something" result=error 10:00 AM
User=A phase="something" result=success 10:05 AM

I'd like to be able to gather all of the users who face a similar situation.
Anyone can suggest a solution?

Thanks a lot in advance.

Tags (1)
0 Karma
Reply

LxSenpai
Explorer
‎06-21-2018 09:10 AM

Hey there, Looks like you need to add a "filter" that says "return all the events for this User A that has error and success for this period of time" .

Also there is "Alerts" that you could create which will give you basically alerts on such events.

0 Karma
Reply

somesoni2
Revered Legend
‎06-21-2018 08:06 AM

May be something like this would work.

your search
| stats latest(result) as latest values(result) as results by User phase
| where latest="success" AND isnotnull(mvfind(match(results,"error")))
0 Karma
Reply

BoGiulio
New Member
‎06-21-2018 08:49 AM

@somesoni2 maybe I am doing some mistakes putting my real values instead of placeholders, but it doesn't seem to be working. Thanks a lot anyway!

0 Karma
Reply

somesoni2
Revered Legend
‎06-21-2018 09:22 AM

Would you mind sharing the search you're trying with? Scrub anything sensitive. Did you get any error running above search OR just the output is not as expected?

0 Karma
Reply

niketn
Legend
‎06-21-2018 04:33 AM

@BoGiulio what if there is an error after success again? Is there supposed to be excluded?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

BoGiulio
New Member
‎06-21-2018 06:14 AM

@niketnilay for the data I'm focusing on there can't be a sequence success-error, only sometimes error-success; after the user has success for a specific phase, it goes to the next one. Thanks a lot for your time.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...