Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract common user who encounters different values for the same field over time

BoGiulio
New Member
‎06-21-2018 02:01 AM

Hello, Splunk noob here. I'd like to find in my index users who encounters an error during a phase of a process but later, for the same phase, are able to succeed. So it would be something like this:

User=A phase="something" result=error 10:00 AM
User=A phase="something" result=success 10:05 AM

I'd like to be able to gather all of the users who face a similar situation.
Anyone can suggest a solution?

Thanks a lot in advance.

Tags (1)
0 Karma
Reply

LxSenpai
Explorer
‎06-21-2018 09:10 AM

Hey there, Looks like you need to add a "filter" that says "return all the events for this User A that has error and success for this period of time" .

Also there is "Alerts" that you could create which will give you basically alerts on such events.

0 Karma
Reply

somesoni2
Revered Legend
‎06-21-2018 08:06 AM

May be something like this would work.

your search
| stats latest(result) as latest values(result) as results by User phase
| where latest="success" AND isnotnull(mvfind(match(results,"error")))
0 Karma
Reply

BoGiulio
New Member
‎06-21-2018 08:49 AM

@somesoni2 maybe I am doing some mistakes putting my real values instead of placeholders, but it doesn't seem to be working. Thanks a lot anyway!

0 Karma
Reply

somesoni2
Revered Legend
‎06-21-2018 09:22 AM

Would you mind sharing the search you're trying with? Scrub anything sensitive. Did you get any error running above search OR just the output is not as expected?

0 Karma
Reply

niketn
Legend
‎06-21-2018 04:33 AM

@BoGiulio what if there is an error after success again? Is there supposed to be excluded?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

BoGiulio
New Member
‎06-21-2018 06:14 AM

@niketnilay for the data I'm focusing on there can't be a sequence success-error, only sometimes error-success; after the user has success for a specific phase, it goes to the next one. Thanks a lot for your time.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...