Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Retrieve a Stream of Events Based on a Field Value

Traer001
Path Finder
‎04-27-2021 09:01 AM

Hello,

I have a group of events like this (for one specific User Id):

2021-04-27 11:45:23  User Id: 123 Session Complete

2021-04-27 11:45:12  User Id: 123 Begin session  time: 1619538290

2021-04-27 11:44:56  User Id: 123 Begin session  time: 1619538290

2021-04-27 11:44:50  User Id: 123 Begin session  time: 1619538290

2021-04-27 11:42:25  User Id: 123 Begin session  time: 1619538145

2021-04-27 11:42:14  User Id: 123 Session Complete

 

In this example, I want to be able to grab all of the events from 11:44:50 until 11:45:23 because they have the same time value and end with a "Session Complete". However, my current query includes the event at 11:42:25. How can I rewrite this to exclude that entry and only keep the events from 11:44:50 up to the Session Complete message? My current query is below:

 

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sBegin\ssession\s+time:\s(?<time_value>\d+)"
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sSession\sComplete"
| where user_id<2000
| eval begin=if(match(_raw,"Begin"),_time,null)
| eval complete=if(match(_raw,"Complete"),_time,null)
| sort 0 user_id time_value -_time
| streamstats min(complete) as complete by time_value user_id
| stats min(begin) as begin by time_value user_id complete
| fieldformat complete=strftime(complete,"%Y-%m-%d %H:%M:%S")
| fieldformat begin=strftime(begin,"%Y-%m-%d %H:%M:%S")
| eval duration=tostring((complete-begin), "duration")
| where (complete-begin)>0

 

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2021 09:59 AM 
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sBegin\ssession\s+time:\s(?<time_value>\d+)"
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sSession\sComplete"
| where user_id<2000
| eval begin=if(match(_raw,"Begin"),_time,null)
| eval complete=if(match(_raw,"Complete"),_time,null)
| eventstats min(begin) as begin by time_value user_id
| sort user_id _time
| filldown begin time_value
| where (complete-begin)>0
| eval duration=tostring(complete-begin,"duration")
0 Karma
Reply

Traer001
Path Finder
‎04-27-2021 12:17 PM

Hello, thank you for the response but it does not appear to be getting what I need. I need to be able to grab the "Complete" message and the earliest "Begin" message with the same time value as the "Begin" messages leading up to the "Complete" message. I added a table command (| table user_id, time_value, begin, complete, duration) to the query you posted, but it doesn't show the correct "begin" and "complete" values.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...