Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with diff or eval?

tmarlette
Motivator
‎10-29-2012 10:30 AM

I have one search, for one event type, and a second search for a second event type. one is 'user login' and the other is 'user logout', right? Ideally in the search i am trying to create, the result set would be all of the users that have logged in, and that have not logged out.

I tried to use diff, but I don't know if that function is the best to use for this?

I'm still pretty new to Splunk, so please take a look.

My search looks like this:
| join user(subsearch for eventtype 2) | dedup user | table _time,host,user,ip

this seems to give me all of the users that have logged in, and logged out. I'm looking for those that have logged in, and that have NOT logged out. any ideas?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-29-2012 10:49 AM

Perhaps transaction would be better suited for your scenario.

You could do something like

eventtype1 OR eventtype2 | transaction user | search eventtype1 AND NOT eventtype2

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-29-2012 10:49 AM

Perhaps transaction would be better suited for your scenario.

You could do something like

eventtype1 OR eventtype2 | transaction user | search eventtype1 AND NOT eventtype2
Reply
Solved! Jump to solution

tmarlette
Motivator
‎04-17-2013 08:17 AM

This did work with some more monkeying! Thank you!

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎10-29-2012 01:06 PM

I believe it's closer, I think I will still have to fiddle with this to get it right.

Thank you so much! I'm sure ill be back. 😃

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...