as the title indicates I'm looking for a way to identify when three events do not occur within a specified amount of time. I know that I can locate when two events do occur within a maximum time span by using a transaction.
index=myIndex email@example.com OR *pictureOne.png* | transaction tName firstname.lastname@example.org endswith=*pictureOne.png* maxspan=1s
I'm still a bit of a Splunk noob so my approach to obtain the results I'm looking for is certainly naive (as well as doesn't work) but here's what I consider the best effort I've put forth so far.
[search index=myIndex email@example.com OR *pictureOne.png* | transaction tNameOne firstname.lastname@example.org endswith=*pictureOne.png* maxspan=1s] | stats count as one [search index=myIndex email@example.com OR *pictureTwo.png* | transaction tNameOne firstname.lastname@example.org endswith=*pictureTwo.png* maxspan=1s] | stats count as two | eval err=if(one==two, "No issue", "Issue present")
The idea was to check if the count of events returned by the two subsearchs match. For instance if my search is performed over a period of 24 hours, then the total number of times each image is associated with the specified username should match. Basically I'm running into an intermittent issue where one image is being requested and the other is not. I believe this should help identify effected users. It seems to me I have a few errors within the aforementioned query. Does everything have to be piped into each other? I was hoping I could define and alias some subsearchs and then evaluate the number of events returned. However, this does not seem to be the case. When that didn't work I figured I could just define some variables and set them to the result of the subsearches and evaluate if the event counts match. But I can't find any documentations on defining and setting variables. So I'm guessing that's not an option. Sorry for the sloppy naming convention within my query's and thanks in advance for any assistance I might receive.
You could try to get all of your data at once, specifying
pictureOne.png OR pictureTwo.png, then use rex to extract the value of the link picture into a field, and then count by value of fields and time
Something like this
search index=myIndex email@example.com OR *pictureOne.png* OR pictureTwo.png | rex field=_raw "(?<pic>[\S]*)" | timechart count by pic
Hey @tiagofbmm, thanks so much for the reply. I just tested this out and it does return results. There are unfortunately two reasons why it's output won't satisfy my needs. The first being that it groups the events into a single count per result. I need to see a comparison between the occurrences of picOne and picTwo. That way I can determine if my intermittent issue is present. The second issue is a bit more serious and is something I forgot to mention in my original post. Sorry about that. The requests that get logged for the images don't contain user data. Just the fact that the image was requested by someone. That's why I was trying to use transactions to limit the results to the image requests that we're logged within 1 second of the user also being logged.
Assuming each of your events has either picone or pictwo, the pic field after that rex would have either the values of picone or pictwo, and the timechart count by pic would give you, at each given time bucket, the count or picone and pictwo accesses.
Time Count Pic
9am 10 one
9am 20 two
If after this you wanted to compare the counts of picone and pictwo per given time, a
transpose command may help and allows you to do an eval to compare counts of picone and pictwo.
I may be picturing a wrong dataset from you. Let me know if transposing and then eval helps you
Not every event contains a reference to picOne or picTwo. So based on your previous comment I'm not sure if this approach will work. The results of the query are currently grouping the occurrences of picOne and picTwo into singular time slices.