Solved: Similar events within 1s of each other?

HenrikN · ‎08-19-2021

I have logs like of this form:

[2021-08-19T13:59:05.607] [INFO] collect - [4a2b9170-0130-11ec-95b3-17c017e0ec5d] {"uid":967,"ec":"login","em":"Successful authentication with username: [test123] other data here..."

I would like to run a query that will show all the cases where "username: [specific user]" shows up within 1 second. So the two lines above would be a hit because the test123 appeared in two similar events 1ms apart.

I have gotten this far:

source="my.log" 
| rex field=_raw "Successful authentication with username: \[(?<username>.*)] " 
| streamstats count time_window=1s by username 
| where count > 1

But this doesn't take the value of username into account and returns all cases of "Successful authentication.." that happen to be within the same second. (Again I want that *only* if the username field is the same.)

Thanks!

- Henrik

ITWhisperer · ‎08-20-2021

Try this instead

source="my.log" 
| rex field=_raw "Successful authentication with username: \[(?<username>.*)] " 
| bin span=1s _time as second
| eventstats count by second username 
| where count > 1

View solution in original post

ITWhisperer · ‎08-20-2021

Try this instead

source="my.log" 
| rex field=_raw "Successful authentication with username: \[(?<username>.*)] " 
| bin span=1s _time as second
| eventstats count by second username 
| where count > 1

HenrikN · ‎08-23-2021

That worked great! Thank you so much for the fast reply!

- Henrik

Similar events within 1s of each other?

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!