Splunk Search

help with query

sarit_s
Communicator

Hello
i have 2 kinds of events - X and Y
and i want to see how many times X+Y happens at the same time and how many times each one of them happens alone
how can i do it ?

thanks

**edit:
this is the flow :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.

Do you think it will be possible to run something like this a single splunk query, and moreso will it be efficient to have nested queries and loops in the same command?

Tags (2)
0 Karma

woodcock
Esteemed Legend

Like this:

 ... | stats count BY XorYfield
| addtotals
0 Karma

sarit_s
Communicator

this is the flow i want :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.
0 Karma

jpolvino
Builder

When you say "at the same time" do you mean they have the same timestamps, or are you looking for processing time overlaps?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sarit_s,
if your events are in indexes X and Y, you could run something like this:

index=X OR index=Y
| stats count BY index
| addcoltotals labelfield=index label="Total"

if your events are in the same index, find a field to divide them (e.g. sourcetype or something else) and use it in stats count command.

Ciao.
Giuseppe

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...