- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search for an event that has not occurred i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello All,
Anyone out there know how I can search for an event that is supposed to occur within 24 hours but has not?
Example:
1 - Invite is sent, if invite is not marked received in 24 hours it is a failure.
So, lets say --- invite was sent 11/14/21 and it is received on 11/16/21 this is a failure.
The start time would not be now() or relateive_time function because the start time would be the time the invite was sent.
Any help is greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi @MeMilo09,
assuming that there's a common key to use to correlate events and there are an event with status="Invite sent" and another one with status="Invite received", you could run something like this (to adapt to your real situation):
index=orders (Status="Invite sent" OR Status="Invite received")
| stats
dc(Status) AS dc_status
values(Status) AS Status
earliest(_time) AS earliest
latest(_time) AS latest
BY Invite_Id
| eval
Invite_Status=if(dc_status=1 AND Status="Invite sent","Invite sent But Not Received",if(dc_status=2 AND (latest-earliest>172800),"Invite sent But Received Late","Invite Sent and Received"),
Invite_Sent_Date=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
Invite_Received_Date=dc_status=1 AND Status="Invite sent","Not Received",strftime(latest,"%Y-%m-%d %H:%M:%S"))
| table Invite_Id Invite_Status Invite_Sent_Date Invite_Received_DateCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi @MeMilo09,
assuming that there's a common key to use to correlate events and there are an event with status="Invite sent" and another one with status="Invite received", you could run something like this (to adapt to your real situation):
index=orders (Status="Invite sent" OR Status="Invite received")
| stats
dc(Status) AS dc_status
values(Status) AS Status
earliest(_time) AS earliest
latest(_time) AS latest
BY Invite_Id
| eval
Invite_Status=if(dc_status=1 AND Status="Invite sent","Invite sent But Not Received",if(dc_status=2 AND (latest-earliest>172800),"Invite sent But Received Late","Invite Sent and Received"),
Invite_Sent_Date=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
Invite_Received_Date=dc_status=1 AND Status="Invite sent","Not Received",strftime(latest,"%Y-%m-%d %H:%M:%S"))
| table Invite_Id Invite_Status Invite_Sent_Date Invite_Received_DateCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi @MeMilo09,
good for you, see next time!
ciao and happy splunking!
Giuseppe
P.S.: Karma Points are appreciated 😉
