Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find all events not having a corresponding event matched by one field's value (WHERE NOT EXISTS)

lbowen
Engager
‎05-21-2014 01:31 PM

I am dealing with two event types: request_start and request_end. Both have a request_id field. Is there a way that I can find all request_start events that exist where there is no request_end event with the same request_id?

I've found on here that it's easy to filter out events having the same value in two different fields, but this is different because it requires a "WHERE NOT EXISTS" sort of predicate to reference another event rather than comparing values in the same event.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

wpreston
Motivator
‎05-21-2014 01:53 PM

Sure. The following methods assume that request_id is unique and that each request will only have one request_start and request_end event each. One way to find what you need would be to use transaction:

eventtype=request_start OR eventtype=request_end 
| transaction request_id startswith="eventtype=request_start" endswith="eventtype=request_end" keepevicted=t 
| search closed_txn=0 eventtype=request_start 
| stats count

Another way of doing this would be to use stats and a subsearch:

eventtype=request_start [search eventtype=request_start OR eventtype=request_end 
| stats count by request_id | where count=1 | fields request_id]

Try these out and see if they get what you need.

View solution in original post

Reply
Solved! Jump to solution
Solution

wpreston
Motivator
‎05-21-2014 01:53 PM

Sure. The following methods assume that request_id is unique and that each request will only have one request_start and request_end event each. One way to find what you need would be to use transaction:

eventtype=request_start OR eventtype=request_end 
| transaction request_id startswith="eventtype=request_start" endswith="eventtype=request_end" keepevicted=t 
| search closed_txn=0 eventtype=request_start 
| stats count

Another way of doing this would be to use stats and a subsearch:

eventtype=request_start [search eventtype=request_start OR eventtype=request_end 
| stats count by request_id | where count=1 | fields request_id]

Try these out and see if they get what you need.

Reply
Solved! Jump to solution

lbowen
Engager
‎05-21-2014 02:19 PM

You're awesome.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...