Splunk Search

How to use multiple where conditions in a search to match and correlate start and end time fields?

Communicator

Working with the following:

EventStarts.txt
UserID, Start Date, Start Time

SpecialEventStarts.txt
UserID, Start Date, Start Time

EventEnds.txt
UserID, Start Date, End Time

SpecialEventEnds.txt
UserID, Start Date, End Time

I have to match up the starts with the appropriate ends. So far I know how to extract the required data, but I don't know how to do it for the start and end so as to match them up. I believe I have to use a where condition. This is my thinking...

x = "EventStarts.txt" OR "SpecialEventStarts.txt" OR "EventEnds.txt" OR "SpecialEventEnds.txt"
| where x = EventStarts.txt
| do what I want you to do
| where x = SpecialEventStarts.txt
| do what I want you to do
| where x = EventEnds.txt
| #do what I want you to do
| where x = SpecialEventEnds.txt
| do what I want you to do

How do I know when the where condition stops???

0 Karma
1 Solution

Esteemed Legend

You have not specified what you are really trying to do so we have to guess quite a bit but, assuming that you have forwarded in these events from files, you can do something like this and maybe this gets you far enough along to finish it for yourself:

index=* source="*EventStarts.txt" OR source="*SpecialEventStarts.txt" OR source="*EventEnds.txt" OR source="*SpecialEventEnds.txt" | eval special=if(like(source, "%Special%"), "Special", "Normal") | stats values(*) AS * by user special

View solution in original post

Esteemed Legend

You have not specified what you are really trying to do so we have to guess quite a bit but, assuming that you have forwarded in these events from files, you can do something like this and maybe this gets you far enough along to finish it for yourself:

index=* source="*EventStarts.txt" OR source="*SpecialEventStarts.txt" OR source="*EventEnds.txt" OR source="*SpecialEventEnds.txt" | eval special=if(like(source, "%Special%"), "Special", "Normal") | stats values(*) AS * by user special

View solution in original post

Communicator

eval special=if(like(source, "%Special%"), "Special", "Normal")

OK. Woodcock I'm thinking instead of a where condition I can use the if condition to determine the sourcetype. Sort of a similar problem though. I understand that the "Special" portion of the above line represents the executable if the if equals true and the "Normal" is the else. How do I perform multiple lines of executables when the if equals to true?

0 Karma

Esteemed Legend

Unfortunately, you have to stack more | eval x=if() clauses into the pipeline. There may be more tricky options but I would need to know exactly what you are trying to do.

0 Karma

Communicator

Ok. Thanks I appreciate your help.

0 Karma

Esteemed Legend

I am assuming that for EventEnds.txt and SpecialEventEnds.txt you actually have End Date and not Start Date, right?

0 Karma

Communicator

That's right. My plan to match them up is to use the Start and End Dates. So to do this in the code I was thinking I'd need to use the Where function to execute lines of code only for a specific sourcetype and then move on to the next.

0 Karma

SplunkTrust
SplunkTrust

It depends on "do what I want you to do" whether it can be achieved by simple where clause or using transaction OR other commands. Could you provide more details on what you want to do here, how the Start and End will be correlated etc?

0 Karma

Communicator

In the "do what I want you to do" I plan on identifying the date/time of the records and match them up chronologically.

0 Karma

Esteemed Legend

Are you getting these events by forwarding them in (monitoring the files) or by using inputlookup (or inputcsv)? If the former, which date are you using for your timestamp ( _time )?

0 Karma

Communicator

I uploaded CSVs to test it out but the idea is to get these events from monitoring files.

0 Karma

Path Finder

This is likely a use case for transaction command.

http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Transaction

something along the lines of

base search | transaction startswith=EventStarts.txt endswith=EventEnds.txt

0 Karma