Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Retrieve a Stream of Events Based on a Field Value

Traer001
Path Finder
‎04-27-2021 09:01 AM

Hello,

I have a group of events like this (for one specific User Id):

2021-04-27 11:45:23  User Id: 123 Session Complete

2021-04-27 11:45:12  User Id: 123 Begin session  time: 1619538290

2021-04-27 11:44:56  User Id: 123 Begin session  time: 1619538290

2021-04-27 11:44:50  User Id: 123 Begin session  time: 1619538290

2021-04-27 11:42:25  User Id: 123 Begin session  time: 1619538145

2021-04-27 11:42:14  User Id: 123 Session Complete

 

In this example, I want to be able to grab all of the events from 11:44:50 until 11:45:23 because they have the same time value and end with a "Session Complete". However, my current query includes the event at 11:42:25. How can I rewrite this to exclude that entry and only keep the events from 11:44:50 up to the Session Complete message? My current query is below:

 

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sBegin\ssession\s+time:\s(?<time_value>\d+)"
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sSession\sComplete"
| where user_id<2000
| eval begin=if(match(_raw,"Begin"),_time,null)
| eval complete=if(match(_raw,"Complete"),_time,null)
| sort 0 user_id time_value -_time
| streamstats min(complete) as complete by time_value user_id
| stats min(begin) as begin by time_value user_id complete
| fieldformat complete=strftime(complete,"%Y-%m-%d %H:%M:%S")
| fieldformat begin=strftime(begin,"%Y-%m-%d %H:%M:%S")
| eval duration=tostring((complete-begin), "duration")
| where (complete-begin)>0

 

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-27-2021 09:59 AM 
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sBegin\ssession\s+time:\s(?<time_value>\d+)"
| rex field=_raw "User\sId:\s(?<user_id>\d+)\sSession\sComplete"
| where user_id<2000
| eval begin=if(match(_raw,"Begin"),_time,null)
| eval complete=if(match(_raw,"Complete"),_time,null)
| eventstats min(begin) as begin by time_value user_id
| sort user_id _time
| filldown begin time_value
| where (complete-begin)>0
| eval duration=tostring(complete-begin,"duration")
0 Karma
Reply

Traer001
Path Finder
‎04-27-2021 12:17 PM

Hello, thank you for the response but it does not appear to be getting what I need. I need to be able to grab the "Complete" message and the earliest "Begin" message with the same time value as the "Begin" messages leading up to the "Complete" message. I added a table command (| table user_id, time_value, begin, complete, duration) to the query you posted, but it doesn't show the correct "begin" and "complete" values.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...