Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search how many times EventA happens within 72 hours after EventB?

Amohlmann
Communicator
‎09-30-2015 07:12 PM

I would like to find out how often a type of message is displayed after an update.
The data I am looking at displays an upgrade message when a site updates their software.
I would like to know how often a particular type of event happens after 3 days of an update (so how many times this event happens between the upgrade date and 72 hours later).
I mainly want to find ones where the event count is 0

What I have so far is like this:

basesearch that leaves just upgrades and the events I want to count
| transaction Message startswith=latest(Upgrade) by SITE_ID maxpause=72h

Example of some events

SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Update
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Update
SITE_ID=456 Message=Trigger1

For this Example, I want it to spit out and tell me that SITE_ID 123 had 1 trigger after their latest update and SITE_ID 456 also had 1 trigger after their update.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-30-2015 08:49 PM

This should work:

basesearch that leaves just upgrades and the events I want to count 
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-30-2015 08:49 PM

This should work:

basesearch that leaves just upgrades and the events I want to count 
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID
Reply
Solved! Jump to solution

Amohlmann
Communicator
‎10-13-2015 05:14 PM

I do not understand what the:
(eval((_time - startTime) > 259200))

Is doing in the line:
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-14-2015 08:00 AM

The (eval((_time - startTime) > 259200)) is checking whether each event is within 72 hours (equivalent to 259200 seconds), which is what you said you need.

0 Karma
Reply
Solved! Jump to solution

Amohlmann
Communicator
‎09-30-2015 11:03 PM

What does the sessionID part of this do?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-14-2015 07:58 AM

The sessionID part creates a way to group the events that are related to (come after and inbetween) Upgrade events.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-30-2015 07:40 PM

Can you provide some sample events??

0 Karma
Reply
Solved! Jump to solution

Amohlmann
Communicator
‎09-30-2015 08:16 PM

I dummied up some example sample events.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...