Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I use a large input in a query?

trunghung
Path Finder
‎04-08-2016 06:23 PM

I am try to write some query[ies] so that I find user who had done action A AFTER they did action B . the time span is simply too long to use transaction command. Previously when I used to run a query for userid who did action A (the smaller set of the 2), manually make that list into a giant (userid1 OR userid2) and search for users who did action B. This would work when the output from action A was around 10k id. Now I have to do thing same thing, except the the number of user now increase to the hundreds of thousand range too impractical to do the manual approach. I tried using subsearch but that doesn't work well with large input data. can someone suggest a solution that scale well? thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-09-2016 11:16 AM

Try this:

(index=eventA OR index=eventB) (action="A" OR action="B") | streamstats count(eval(action="A")) AS SessionID BY user | sort SessionID user
0 Karma
Reply

trunghung
Path Finder
‎04-09-2016 11:47 AM

sorry I left out an important part of the question, I need to find the userID of those who did action A AFTER they did action B. your query wont' work. thanks you for your help though

0 Karma
Reply

woodcock
Esteemed Legend
‎04-28-2016 08:08 AM

OK, try this:

(index=eventA OR index=eventB) (action="A" OR action="B") | streamstats count(eval(action="A")) AS SessionID BY user userID | sort SessionID user userID
0 Karma
Reply

sundareshr
Legend
‎04-09-2016 07:52 AM

Have you tried something like this

index=eventA OR index=eventB action=A or action=B | chart count over user by action | where actionA>0 AND actionB>0
0 Karma
Reply

trunghung
Path Finder
‎04-09-2016 11:47 AM

sorry I left out an important part of the question, I need to find the userID of those who did action A AFTER they did action B. your query wont' work. thanks you for your help though

0 Karma
Reply

sundareshr
Legend
‎04-11-2016 11:39 AM

Try this

index=eventA OR index=eventB action=A or action=B | stats latest(eval(if(action="A", _time, null()))) as a latest(eval(if(action="B", _time, null()))) as b by userid | where a>b
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...