Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Retrieve a Stream of Events Based on a Field Value

Traer001
Path Finder
‎04-27-2021 09:01 AM

Hello,

I have a group of events like this (for one specific User Id):

2021-04-27 11:45:23  User Id: 123 Session Complete

2021-04-27 11:45:12  User Id: 123 Begin session  time: 1619538290

2021-04-27 11:44:56  User Id: 123 Begin session  time: 1619538290

2021-04-27 11:44:50  User Id: 123 Begin session  time: 1619538290

2021-04-27 11:42:25  User Id: 123 Begin session  time: 1619538145

2021-04-27 11:42:14  User Id: 123 Session Complete

 

In this example, I want to be able to grab all of the events from 11:44:50 until 11:45:23 because they have the same time value and end with a "Session Complete". However, my current query includes the event at 11:42:25. How can I rewrite this to exclude that entry and only keep the events from 11:44:50 up to the Session Complete message? My current query is below:

 

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sBegin\ssession\s+time:\s(?<time_value>\d+)"
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sSession\sComplete"
| where user_id<2000
| eval begin=if(match(_raw,"Begin"),_time,null)
| eval complete=if(match(_raw,"Complete"),_time,null)
| sort 0 user_id time_value -_time
| streamstats min(complete) as complete by time_value user_id
| stats min(begin) as begin by time_value user_id complete
| fieldformat complete=strftime(complete,"%Y-%m-%d %H:%M:%S")
| fieldformat begin=strftime(begin,"%Y-%m-%d %H:%M:%S")
| eval duration=tostring((complete-begin), "duration")
| where (complete-begin)>0

 

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2021 09:59 AM 
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sBegin\ssession\s+time:\s(?<time_value>\d+)"
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sSession\sComplete"
| where user_id<2000
| eval begin=if(match(_raw,"Begin"),_time,null)
| eval complete=if(match(_raw,"Complete"),_time,null)
| eventstats min(begin) as begin by time_value user_id
| sort user_id _time
| filldown begin time_value
| where (complete-begin)>0
| eval duration=tostring(complete-begin,"duration")
0 Karma
Reply

Traer001
Path Finder
‎04-27-2021 12:17 PM

Hello, thank you for the response but it does not appear to be getting what I need. I need to be able to grab the "Complete" message and the earliest "Begin" message with the same time value as the "Begin" messages leading up to the "Complete" message. I added a table command (| table user_id, time_value, begin, complete, duration) to the query you posted, but it doesn't show the correct "begin" and "complete" values.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...