Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use multiple where conditions in a search to match and correlate start and end time fields?

jsven7
Communicator
‎10-19-2015 10:15 AM

Working with the following:

EventStarts.txt
UserID, Start Date, Start Time

SpecialEventStarts.txt
UserID, Start Date, Start Time

EventEnds.txt
UserID, Start Date, End Time

SpecialEventEnds.txt
UserID, Start Date, End Time

I have to match up the starts with the appropriate ends. So far I know how to extract the required data, but I don't know how to do it for the start and end so as to match them up. I believe I have to use a where condition. This is my thinking...

x = "EventStarts.txt" OR "SpecialEventStarts.txt" OR "EventEnds.txt" OR "SpecialEventEnds.txt"
| where x = EventStarts.txt
| do what I want you to do
| where x = SpecialEventStarts.txt
| do what I want you to do
| where x = EventEnds.txt
| #do what I want you to do
| where x = SpecialEventEnds.txt
| do what I want you to do

How do I know when the where condition stops???

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-19-2015 12:17 PM

You have not specified what you are really trying to do so we have to guess quite a bit but, assuming that you have forwarded in these events from files, you can do something like this and maybe this gets you far enough along to finish it for yourself:

index=* source="*EventStarts.txt" OR source="*SpecialEventStarts.txt" OR source="*EventEnds.txt" OR source="*SpecialEventEnds.txt" | eval special=if(like(source, "%Special%"), "Special", "Normal") | stats values(*) AS * by user special

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-19-2015 12:17 PM

You have not specified what you are really trying to do so we have to guess quite a bit but, assuming that you have forwarded in these events from files, you can do something like this and maybe this gets you far enough along to finish it for yourself:

index=* source="*EventStarts.txt" OR source="*SpecialEventStarts.txt" OR source="*EventEnds.txt" OR source="*SpecialEventEnds.txt" | eval special=if(like(source, "%Special%"), "Special", "Normal") | stats values(*) AS * by user special
Reply
Solved! Jump to solution

jsven7
Communicator
‎10-21-2015 06:02 AM

eval special=if(like(source, "%Special%"), "Special", "Normal")

OK. Woodcock I'm thinking instead of a where condition I can use the if condition to determine the sourcetype. Sort of a similar problem though. I understand that the "Special" portion of the above line represents the executable if the if equals true and the "Normal" is the else. How do I perform multiple lines of executables when the if equals to true?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-21-2015 09:31 AM

Unfortunately, you have to stack more | eval x=if() clauses into the pipeline. There may be more tricky options but I would need to know exactly what you are trying to do.

0 Karma
Reply
Solved! Jump to solution

jsven7
Communicator
‎10-22-2015 04:56 AM

Ok. Thanks I appreciate your help.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-19-2015 12:16 PM

I am assuming that for EventEnds.txt and SpecialEventEnds.txt you actually have End Date and not Start Date, right?

0 Karma
Reply
Solved! Jump to solution

jsven7
Communicator
‎10-21-2015 05:56 AM

That's right. My plan to match them up is to use the Start and End Dates. So to do this in the code I was thinking I'd need to use the Where function to execute lines of code only for a specific sourcetype and then move on to the next.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-19-2015 11:53 AM

It depends on "do what I want you to do" whether it can be achieved by simple where clause or using transaction OR other commands. Could you provide more details on what you want to do here, how the Start and End will be correlated etc?

0 Karma
Reply
Solved! Jump to solution

jsven7
Communicator
‎10-21-2015 05:58 AM

In the "do what I want you to do" I plan on identifying the date/time of the records and match them up chronologically.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-19-2015 11:31 AM

Are you getting these events by forwarding them in (monitoring the files) or by using inputlookup (or inputcsv)? If the former, which date are you using for your timestamp ( _time )?

0 Karma
Reply
Solved! Jump to solution

jsven7
Communicator
‎10-21-2015 05:54 AM

I uploaded CSVs to test it out but the idea is to get these events from monitoring files.

0 Karma
Reply
Solved! Jump to solution

GeorgeStarkey
Path Finder
‎10-19-2015 11:29 AM

This is likely a use case for transaction command.

http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Transaction

something along the lines of

base search | transaction startswith=EventStarts.txt endswith=EventEnds.txt

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top