How to find the most recent event for a user prece...

MatMeredith · ‎02-26-2013

I have a set of user activity logs, each of which identifies an event-type and a user-id. One possible event-type is "Exception" and when a user hits an "Exception" I want to know what other event type most commonly precedes it for the user. Specifically I'd like a table that shows me how often the most recent previous event is X, Y, Z etc.

I'm struggling to see how to do this. Can anyone help please?

Many thanks!

martin_mueller · ‎02-26-2013

You could use streamstats to append the previous event to the current event, and then use that to build your table.

martin_mueller · ‎02-27-2013

Try something like this:

... | streamstats current=f window=1 last(eventtype) as other_eventtype by userid

MatMeredith · ‎02-26-2013

Thanks for the answer, but could you offer any more detail please as I'm still not clear how I would do that? E.g. suppose in a very simple example I have

userid 1, eventtype A
...
userid 2, eventtype B
...
userid 1, eventtype "Exception"
...
userid 1, eventtype C
...
userid 1, eventtype "Exception"
...
userid 2, eventtype "Exception"

Here I'd want to see that 1/3 of the time the preceding event was A, 1/3 of the time it was B and 1/3 of the time it was C...

How to find the most recent event for a user preceding some other event

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)