In the query below I am trying to find all users who logged in and then did not login again with in the time range. Unfortunately, is is not returning any results, which I know to be wrong by verifying for a specific UID.
earliest=-2d@d latest=-0d@d msg=login_daily `money_countries` | transaction uid startswith=(msg="login_daily") endswith=(msg="login_daily") keepevicted=true | search closed_txn=0 | table uid
Once I can get this working, I would like to find only unclosed transactions where there the absence of a second login comes 30 days after the first login. Is this possible?
You can do this with transaction
but it is inefficient. I am not entirely sure I understand what you are trying to do (the confusion comes from the fact that your startswith
and endswith
strings are identical), but I think this will do it:
msg=login_daily `money_countries` | streamstats latest(_time) BY uid AS prevTime | eval SecondsSincePrevEventByUID=(_time - prevTime) | where SecondsSincePrevEventByUID>=2592000
This adds a prevTime
to each event that is the time of the previous event matching the same uid
. If we then subtract these times, we can filter in those events that are 30 days (2592000 seconds) apart.