Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract common user who encounters different value...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract common user who encounters different values for the same field over time
BoGiulio
New Member
06-21-2018
02:01 AM
Hello, Splunk noob here. I'd like to find in my index users who encounters an error during a phase of a process but later, for the same phase, are able to succeed. So it would be something like this:
User=A phase="something" result=error 10:00 AM
User=A phase="something" result=success 10:05 AM
I'd like to be able to gather all of the users who face a similar situation.
Anyone can suggest a solution?
Thanks a lot in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LxSenpai
Explorer
06-21-2018
09:10 AM
Hey there, Looks like you need to add a "filter" that says "return all the events for this User A that has error and success for this period of time" .
Also there is "Alerts" that you could create which will give you basically alerts on such events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-21-2018
08:06 AM
May be something like this would work.
your search
| stats latest(result) as latest values(result) as results by User phase
| where latest="success" AND isnotnull(mvfind(match(results,"error")))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BoGiulio
New Member
06-21-2018
08:49 AM
@somesoni2 maybe I am doing some mistakes putting my real values instead of placeholders, but it doesn't seem to be working. Thanks a lot anyway!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-21-2018
09:22 AM
Would you mind sharing the search you're trying with? Scrub anything sensitive. Did you get any error running above search OR just the output is not as expected?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
06-21-2018
04:33 AM
@BoGiulio what if there is an error after success again? Is there supposed to be excluded?
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BoGiulio
New Member
06-21-2018
06:14 AM
@niketnilay for the data I'm focusing on there can't be a sequence success-error, only sometimes error-success; after the user has success for a specific phase, it goes to the next one. Thanks a lot for your time.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
