Splunk Search

How to search how many times EventA happens within 72 hours after EventB?

Communicator

I would like to find out how often a type of message is displayed after an update.
The data I am looking at displays an upgrade message when a site updates their software.
I would like to know how often a particular type of event happens after 3 days of an update (so how many times this event happens between the upgrade date and 72 hours later).
I mainly want to find ones where the event count is 0

What I have so far is like this:

basesearch that leaves just upgrades and the events I want to count
| transaction Message startswith=latest(Upgrade) by SITE_ID maxpause=72h

Example of some events

SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Update
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Update
SITE_ID=456 Message=Trigger1

For this Example, I want it to spit out and tell me that SITE_ID 123 had 1 trigger after their latest update and SITE_ID 456 also had 1 trigger after their update.

0 Karma
1 Solution

Esteemed Legend

This should work:

basesearch that leaves just upgrades and the events I want to count 
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

View solution in original post

Esteemed Legend

This should work:

basesearch that leaves just upgrades and the events I want to count 
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

View solution in original post

Communicator

I do not understand what the:
(eval((_time - startTime) > 259200))

Is doing in the line:
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

0 Karma

Esteemed Legend

The (eval((_time - startTime) > 259200)) is checking whether each event is within 72 hours (equivalent to 259200 seconds), which is what you said you need.

0 Karma

Communicator

What does the sessionID part of this do?

0 Karma

Esteemed Legend

The sessionID part creates a way to group the events that are related to (come after and inbetween) Upgrade events.

0 Karma

Revered Legend

Can you provide some sample events??

0 Karma

Communicator

I dummied up some example sample events.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!