Splunk Search

help with query

Communicator

Hello
i have 2 kinds of events - X and Y
and i want to see how many times X+Y happens at the same time and how many times each one of them happens alone
how can i do it ?

thanks

**edit:
this is the flow :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.

Do you think it will be possible to run something like this a single splunk query, and moreso will it be efficient to have nested queries and loops in the same command?

Tags (2)
0 Karma

Esteemed Legend

Like this:

 ... | stats count BY XorYfield
| addtotals
0 Karma

Communicator

this is the flow i want :

  1. Query a specific eventtype (E1) for a specific tail_id and get all the timestamps in which it appears
  2. For each of the above timestamps query the same tail_id at the timestamp +/- a given delta
  3. For each query above count how many times different eventtypes appear
  4. Return a sum of total amounts of time each of the above events was seen with the original E1 event. E.g. if E1 was seen a total of 100 times have a list that shows E2 was seen all 100 times with E1, E3 was seen 50 times with E1, etc.
0 Karma

Builder

When you say "at the same time" do you mean they have the same timestamps, or are you looking for processing time overlaps?

0 Karma

SplunkTrust
SplunkTrust

Hi @sarit_s,
if your events are in indexes X and Y, you could run something like this:

index=X OR index=Y
| stats count BY index
| addcoltotals labelfield=index label="Total"

if your events are in the same index, find a field to divide them (e.g. sourcetype or something else) and use it in stats count command.

Ciao.
Giuseppe

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!