Splunk Search

How to search how many times EventA happens within 72 hours after EventB?

Amohlmann
Communicator

I would like to find out how often a type of message is displayed after an update.
The data I am looking at displays an upgrade message when a site updates their software.
I would like to know how often a particular type of event happens after 3 days of an update (so how many times this event happens between the upgrade date and 72 hours later).
I mainly want to find ones where the event count is 0

What I have so far is like this:

basesearch that leaves just upgrades and the events I want to count
| transaction Message startswith=latest(Upgrade) by SITE_ID maxpause=72h

Example of some events

SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Update
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Update
SITE_ID=456 Message=Trigger1

For this Example, I want it to spit out and tell me that SITE_ID 123 had 1 trigger after their latest update and SITE_ID 456 also had 1 trigger after their update.

0 Karma
1 Solution

woodcock
Esteemed Legend

This should work:

basesearch that leaves just upgrades and the events I want to count 
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

View solution in original post

woodcock
Esteemed Legend

This should work:

basesearch that leaves just upgrades and the events I want to count 
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

Amohlmann
Communicator

I do not understand what the:
(eval((_time - startTime) > 259200))

Is doing in the line:
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

0 Karma

woodcock
Esteemed Legend

The (eval((_time - startTime) > 259200)) is checking whether each event is within 72 hours (equivalent to 259200 seconds), which is what you said you need.

0 Karma

Amohlmann
Communicator

What does the sessionID part of this do?

0 Karma

woodcock
Esteemed Legend

The sessionID part creates a way to group the events that are related to (come after and inbetween) Upgrade events.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you provide some sample events??

0 Karma

Amohlmann
Communicator

I dummied up some example sample events.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...