I have a query that looks like this:
index=A ( ErrorCode=2 OR ErrorCode=3)
[ search index=B Criteria=1
| table userName]
This query will look for all users that have criteria=1 in their event, and then look to see if they have criteria 2 (in a separate index/sourcetype).
However, what I am really looking for is the events that occur 1 minute after Criteria 1 is triggered. I want to see how many users are experiencing errors right after criteria 1 is triggered. With this search, if a user experienced the criteria yesterday, but the errors today, it would show up.
I assume I need to carry the _time
field over somehow and marry it to the username? Not sure how to go about doing this.
Try something like this ...
index=A ( ErrorCode=2 OR ErrorCode=3)
[ search index=B Criteria=1
| table _time userName
| eval earliest=_time
| eval latest=_time+60
| fields - _time
| format "(" "(" "" ")" "OR" ")"
| rex mode=sed field=search "s/\"//g"
]
The return values from the search code in square brackets end up being formatted something like this
( ( earliest=1536192351.692 latest=1536192411.692 userName=value1 ) OR
( earliest=1536192351.692 latest=1536192411.692 userName=value2 ) OR ... )
Where those 153619235X.XXX values are epoch times.
The rex
line kills the quotes around the values, which must be done for the earliest and latest values to be interpreted correctly.
If userNames
may contain internal quotes or special characters, then the rex
should be replaced by a strftime
command back when the values of earliest
and latest
are being calculated, to translate them into the character values accepted by Splunk.
Let us know if you need that.