Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I use a large input in a query?

trunghung
Path Finder
‎04-08-2016 06:23 PM

I am try to write some query[ies] so that I find user who had done action A AFTER they did action B . the time span is simply too long to use transaction command. Previously when I used to run a query for userid who did action A (the smaller set of the 2), manually make that list into a giant (userid1 OR userid2) and search for users who did action B. This would work when the output from action A was around 10k id. Now I have to do thing same thing, except the the number of user now increase to the hundreds of thousand range too impractical to do the manual approach. I tried using subsearch but that doesn't work well with large input data. can someone suggest a solution that scale well? thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-09-2016 11:16 AM

Try this:

(index=eventA OR index=eventB) (action="A" OR action="B") | streamstats count(eval(action="A")) AS SessionID BY user | sort SessionID user
0 Karma
Reply

trunghung
Path Finder
‎04-09-2016 11:47 AM

sorry I left out an important part of the question, I need to find the userID of those who did action A AFTER they did action B. your query wont' work. thanks you for your help though

0 Karma
Reply

woodcock
Esteemed Legend
‎04-28-2016 08:08 AM

OK, try this:

(index=eventA OR index=eventB) (action="A" OR action="B") | streamstats count(eval(action="A")) AS SessionID BY user userID | sort SessionID user userID
0 Karma
Reply

sundareshr
Legend
‎04-09-2016 07:52 AM

Have you tried something like this

index=eventA OR index=eventB action=A or action=B | chart count over user by action | where actionA>0 AND actionB>0
0 Karma
Reply

trunghung
Path Finder
‎04-09-2016 11:47 AM

sorry I left out an important part of the question, I need to find the userID of those who did action A AFTER they did action B. your query wont' work. thanks you for your help though

0 Karma
Reply

sundareshr
Legend
‎04-11-2016 11:39 AM

Try this

index=eventA OR index=eventB action=A or action=B | stats latest(eval(if(action="A", _time, null()))) as a latest(eval(if(action="B", _time, null()))) as b by userid | where a>b
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...