Solved: Identifying users with activity in two different t...

jeffa · ‎07-21-2011

I'm trying to identify the source of a performance slow down that has occurred twice over the last two days. Each slow down occurred over a five minute period, once two days ago, once this morning (at different times of the day). I suspect some user activity, but have not been able to identify the particular user. I'd like to be able to narrow my search results to only users w/ activity during both time periods. The logs that I'm looking at have a "CustID" field. So, what I'd like to be able to do is something like...

sourcetype=MySourceType CustID="Any customer w/ activity in both time periods" ...

How would I go about this? Would it be possible to timechart the results and overlap the times?

BobM · ‎07-22-2011

It is easy to set a subsearch as a filter without appending the results. So if you want to filter one search with another use somthing like this.

sourcetype=MySourceType CustID=* earliest=x latest=y [ search sourcetype=MySourceType CustID=* earliest=a latest=b | fields CustID ]

But because you want both sets of events you need to append them and filter afterwards.
I have created a new field evblock for each group of results and used eventstats to look for a range and filter on that.

sourcetype=MySourceType CustID=* earliest=x latest=y | eval evblock=1  | append
[ search sourcetype=MySourceType CustID=* earliest=a latest=b | eval evblock=2 ]
| eventstats range(evblock) as inBoth by CustID | where inBoth=1

If you want to overlap them in the timeline, you will have to add in an eval on _time for the subsearch. For example if the times are exactly a day offset.

| eval _time=_time-8640

View solution in original post

BobM · ‎07-22-2011

It is easy to set a subsearch as a filter without appending the results. So if you want to filter one search with another use somthing like this.

sourcetype=MySourceType CustID=* earliest=x latest=y [ search sourcetype=MySourceType CustID=* earliest=a latest=b | fields CustID ]

But because you want both sets of events you need to append them and filter afterwards.
I have created a new field evblock for each group of results and used eventstats to look for a range and filter on that.

sourcetype=MySourceType CustID=* earliest=x latest=y | eval evblock=1  | append
[ search sourcetype=MySourceType CustID=* earliest=a latest=b | eval evblock=2 ]
| eventstats range(evblock) as inBoth by CustID | where inBoth=1

If you want to overlap them in the timeline, you will have to add in an eval on _time for the subsearch. For example if the times are exactly a day offset.

| eval _time=_time-8640

I-Man · ‎07-21-2011

I may be oversimplifying your question, but it seems like you could do something like this:

sourcetype=MySourceType CustID="*" earliest=07/20/2011:0:0:0 latest=07/20/2011:0:05:0 | timechart count by CustID

However, depending on how many users are active at that time, you could just run top to see who the top 10 are.

sourcetype=MySourceType CustID="*" earliest=07/20/2011:0:0:0 latest=07/20/2011:0:05:0 | top CustID

UPDATE
After re-reading, you can use append to compare the 2 times. When you graph it, use the Column chart type. Thats close to what your looking for.

sourcetype=MySourceType CustID="*" earliest=07/20/2011:0:0:0 latest=07/20/2011:0:05:0 | append [search ssourcetype=MySourceType CustID="*" earliest=07/19/2011:0:0:0 latest=07/19/2011:0:05:0] | timechart count by CustID

jeffa · ‎07-21-2011

That does get me all of the customer IDs that have logs in either the first time period, the second time period, or both time periods. But what I'm looking for is only search for CustIDs w/ logs in both time periods, therefore, not showing any CustIDs that only have logs in one time period or the other (but not both).

Identifying users with activity in two different time periods

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life