Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Similar events within 1s of each other?

HenrikN
Engager
‎08-19-2021 04:00 PM

I have logs like of this form:

[2021-08-19T13:59:05.607] [INFO] collect - [4a2b9170-0130-11ec-95b3-17c017e0ec5d] {"uid":967,"ec":"login","em":"Successful authentication with username: [test123] other data here..."

[2021-08-19T13:59:05.607] [INFO] collect - [4a2b9170-0130-11ec-95b3-17c017e0ec5d] {"uid":967,"ec":"login","em":"Successful authentication with username: [test123] other data here..."

I would like to run a query that will show all the cases where "username: [specific user]" shows up within 1 second. So the two lines above would be a hit because the test123 appeared in two similar events 1ms apart.

I have gotten this far:

source="my.log" 
| rex field=_raw "Successful authentication with username: \[(?<username>.*)] " 
| streamstats count time_window=1s by username 
| where count > 1

But this doesn't take the value of username into account and returns all cases of "Successful authentication.." that happen to be within the same second. (Again I want that *only* if the username field is the same.)

 

Thanks!

 - Henrik

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-20-2021 12:31 AM

Try this instead

source="my.log" 
| rex field=_raw "Successful authentication with username: \[(?<username>.*)] " 
| bin span=1s _time as second
| eventstats count by second username 
| where count > 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-20-2021 12:31 AM

Try this instead

source="my.log" 
| rex field=_raw "Successful authentication with username: \[(?<username>.*)] " 
| bin span=1s _time as second
| eventstats count by second username 
| where count > 1
0 Karma
Reply
Solved! Jump to solution

HenrikN
Engager
‎08-23-2021 01:50 PM

That worked great! Thank you so much for the fast reply!

 - Henrik

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...