How find events where "event.action"="START" AND n...

hooligeek · ‎03-06-2022

Given the example events below. ALL field values match with the exception of the "event.action" field.

{"event": {"action":"START","date":"DATE","title":"TITLE","user":"USER"}}

{"event": {"action":"FINISH","date":"DATE","title":"TITLE","user":"USER"}}

I'm trying to find events where "event.action"="START" AND no corresponding event where "event.action"="FINISH".

Both events should have the same "event.title" and "event.user".

hooligeek · ‎03-07-2022

Same. If you update your initial suggestion, I'll accept the solution. 😁

PickleRick · ‎03-06-2022

Do a stats values(event.action) by any combination of other fields that you need (event.title, event.user or whatever else you have there).

You'll get a multivalued field on which you'll be able to search for any (or both) action.

| stats values(event.action) as action by event.title event.user | search event.action="START" event.action="FINISH"

hooligeek · ‎03-07-2022

Thank you,

This helped me push forward with a little tweak.

Instead of :

| search event.action="START" event.action="FINISH"

Idid

| where action="START" action!="FINISH"

This provided me a list of occurrences with a START event and no FINISH event which is exactly what I was after.

PickleRick · ‎03-07-2022

Ahhh, you wanted start with no finish... right. 🙂

I sometimes read too quickly 😉

How find events where "event.action"="START" AND no corresponding event where "event.action"="FINISH".?