Splunk Search
Highlighted

Finding next event where field is similar

Path Finder

How do I find the next event where a field is repeated?

Scenario:

I have following fields in an index

TIME|DATE|ACCOUNT|TYPE|CAUSE|RESOLUTION

And I want to find Type,Cause,Resolution for next event where the Account number is same.

0 Karma
Highlighted

Re: Finding next event where field is similar

Splunk Employee
Splunk Employee

Look into the map and transaction commands.

0 Karma
Highlighted

Re: Finding next event where field is similar

Splunk Employee
Splunk Employee

* | transaction ACCOUNT

  • Or build a stats search grouping per Account.

* | stats values(_raw) by ACCOUNT

  • Or use subsearches and use the result as a condition for the main search.

mysearch1 [ search mysearch2 | dedup ACCOUNT | table ACCOUNT ]

0 Karma
Highlighted

Re: Finding next event where field is similar

Ultra Champion

Probably you should specify a few sample events. Is it only interesting to report if the events are sequential? How do you find the 'first' event (that you want to find a sequel to)?

Some commands that may prove useful (read up on them in the Search Reference manual;

dedup (possibly in conjunction with reverse)

stats functions like values() or list()

transaction on ACCOUNT

or a simple table, perhaps?

/K

0 Karma
Highlighted

Re: Finding next event where field is similar

Path Finder

Sample:

TIME|DATE|ACCOUNT|TYPE|CAUSE|RESOLUTION
07:04|10/08/2013|112233|Video|Error|Reset
16:48|10/08/2013|112233|Video|Conflict|TechCall
12:34|10/07/2013|121244|DOCSIS|Connection|Tech

For the above data, I want to see a output like this:

TIME|DATE|ACCOUNT|TYPE|CAUSE|RESOLUTION|NEXTTYPE|NEXTCAUSE|NEXTRESOLUTION|DURATION
07:04|10/08/2013|112233|Video|Error|Reset|Video|Conflict|TechCall|584min
16:48|10/08/2013|112233|Video|Conflict|TechCall||||
12:34|10/07/2013|121244|DOCSIS|Connection|Tech||||

NEXTTYPE, NEXTCAUSE, NEXTRESOLUTION, and DURATION should be blank if there are no next events.

0 Karma