- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create a search where two values of a f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a search where two values of a field should not overlap with time?
Hello,
So I have data like these:
**_time, id, event**
2019-03-18 15:00:00.0, someone1, checkedin
2019-03-18 16:00:00.0, someone1, X
2019-03-18 16:15:00.0, someone1, checkedout
2019-03-18 17:00:00.0, someone1, checkedin
2019-03-18 17:15:00.0, someone1, checkedout
2019-03-18 15:30:00.0, someone2, checkedin
2019-03-18 16:30:00.0, someone2, checkedout
***2019-03-18 15:00:00.0, someone3, checkedin
2019-03-18 15:30:00.0, someone3, checkedin
2019-03-18 16:15:00.0, someone3, checkedout
2019-03-18 16:30:00.0, someone3, checkedout***
2019-03-18 15:30:00.0, someone4, checkedin
2019-03-18 15:45:00.0, someone4, X
2019-03-18 16:15:00.0, someone4, checkedout
I do not care about the lines with the event is different than "checkedin" or "checkedout" ("X" here).
I want to be able to detect when a person checked-in twice or more with the same id before checking out (look at bold and italic lines). And I want to return all lines or, at least id, where this is the case. I want to seperate my results per id.
As I wanted to group per id but I also make a disctinction per event, my first codes were:
(event="checkedin" OR event="checkedout") | timechart span=15m count(id) by event
or
(event="checkedin" OR event="checkedout") | timechart span=15m count(event) by id
But they clearly do not give me what I want.
I also thought about multiple searches but as you cannot put streaming functions, it is not working.
Do you have an idea how to do it please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@acathignol you can try something like this, it will give you login and logout counts in a 15 minute time span per id.
<your query>| bin span=15min _time|stats count(eval(event="checkedin")) as checkedin, count(eval(event="checkedout")) as checkedout by id _time| where checkedin > checkedout
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer. At the end, I would like to see if 2 persons are actually using the same pass, which I can see if they are checking in without the other checking out first.
The code you have written gave me the lines in italic and bold. The thing is that there is no disctinction between people using the same pass or poeple using a pass, checking out and then checking in again.
_time, id, checkedin, checkedout
2019-03-18 15:00:00.0, someone1, 1, 0
2019-03-18 16:15:00.0, someone1, 0, 1
2019-03-18 17:00:00.0, someone1, 1, 1
2019-03-18 15:30:00.0, someone2, 1, 0
2019-03-18 16:30:00.0, someone2, 0, 1
2019-03-18 15:00:00.0, someone3, 1, 0
2019-03-18 15:30:00.0, someone3, 1, 0
2019-03-18 16:15:00.0, someone3, 0, 2
2019-03-18 15:30:00.0, someone4, 1, 0
2019-03-18 16:15:00.0, someone4, 0, 1
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
