Help with subsearch

mburbidg · ‎02-03-2012

I have two different kinds of events. I would like to relate the two. The first event looks like this.

[2012-02-02 20:17:51,931] INFO - sessionId=8AD487DD-DB3F-4C3E-AB9A-302ABF05E6FC code=NewsStandPushNotificationReceived externalSignInStatus=true

The second looks like this.

[2012-02-02 20:18:03,050] INFO - sessionId=8AD487DD-DB3F-4C3E-AB9A-302ABF05E6FC code=NewsStandPushCompleted startedBackgroundDownload=true

I would like to find all the sessionIds where startedBackgroundDownload=false from the second event and externalSignInStatus=true from the first event.

I think I would be able to do this with a subsearch, but nothing I've tried has resulted in anything but 0 matching events. Can anyone help me with a subsearch that would do what I need?

Damien_Dallimor · ‎02-03-2012

A transaction based on sessionID might a better solution :

yourinitialsearch | transaction sessionId startswith="externalSignInStatus=true" endswith="startedBackgroundDownload=false"

Help with subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation

Help with subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience