Splunk Search

Find users who have done an event A, but not done an event B


I have a splunk log that has fields 'user_id' and 'event'. What I would like to do is to find the list of users who have done an Event A, but has not done an Event B.

The way I have figured out right now uses a sub-search, but the number of items returned by the sub-search causes a more than maxout warning. The query I use is:

event=A user_id NOT [event=B | fields user_id]

What is the alternate way to do this?

Tags (1)
0 Karma


Try this

event=A OR event=B
| stats count(eval(event="A")) as ACount count(eval(event="B")) as Bcount by user_id
| where ACount >= 1 AND BCount < 1

I realize that you are being abstract in your question, so my answer may not have enough details for you. Follow up with more details about event A and event B, if you want a more detailed answer...


@Iguinn, the answer looks promising. Just to have some more clarity, the events are something like this:
Event A = a user registration event (usually happens only once per user)
Event B = a user doing a payment on our application (could happen many times for a user or never at all).

So what I'm looking at is the list of users who have registered but have not yet done even a single payment. Hope this clarifies.


0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...