Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help with query

sarit_s
Communicator
‎03-29-2020 06:12 AM

Hello
i have 2 kinds of events - X and Y
and i want to see how many times X+Y happens at the same time and how many times each one of them happens alone
how can i do it ?

thanks

**edit:
this is the flow :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.

Do you think it will be possible to run something like this a single splunk query, and moreso will it be efficient to have nested queries and loops in the same command?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-29-2020 08:50 AM

Like this:

 ... | stats count BY XorYfield
| addtotals
0 Karma
Reply

sarit_s
Communicator
‎03-30-2020 04:55 AM

this is the flow i want :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.
0 Karma
Reply

jpolvino
Builder
‎03-29-2020 06:42 AM

When you say "at the same time" do you mean they have the same timestamps, or are you looking for processing time overlaps?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-29-2020 06:27 AM

Hi @sarit_s,
if your events are in indexes X and Y, you could run something like this:

index=X OR index=Y
| stats count BY index
| addcoltotals labelfield=index label="Total"

if your events are in the same index, find a field to divide them (e.g. sourcetype or something else) and use it in stats count command.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...