Solved: how to follow events on a field with different val...

eddiestephano · ‎02-12-2020

Hi guys,

I am new to splunk. I have multiple events that looks like this:
- 2020-02-07 07:21:20 action_time="2020-01-02 07:21:20.39", id_client="1234", ticket="1",
- 2020-02-07 07:21:20 action_time="2020-01-02 07:22:20.39", id_client="4567", ticket="2"
- 2020-02-07 07:21:20 action_time="2020-01-02 07:23:20.39", id_client="1234", ticket="2"
- ...

I would like to see transaction like this:
in All events, find the first event where id_client = "1234" and ticket="1". If match, find next event with the same id_client, but the ticket= "2".
so, for the same client, find first ticket=1, following after the ticket=2 (no other actions).

I tried with: ...| transaction ticket startwith='1' endwith='2' but it does not work

how can we do this in splunk ?

I thank you i advance,

to4kawa · ‎02-12-2020

This is better:

your search
| sort 0 id_client _time
| autoregress ticket as p_ticket
| where ticket=1 OR (ticket=2 AND (ticket-p_ticket=1))
| eventstats count by id_client
| where count > 1

your search
| streamstats count(eval(ticket="1")) as session by id_client
| stats list(_raw) as raw list(ticket) as ticket by id_client session
| eval checked=if(mvfind(ticket,"2")=1,1,0)
| where checked > 0

View solution in original post

to4kawa · ‎02-12-2020

This is better:

your search
| sort 0 id_client _time
| autoregress ticket as p_ticket
| where ticket=1 OR (ticket=2 AND (ticket-p_ticket=1))
| eventstats count by id_client
| where count > 1

your search
| streamstats count(eval(ticket="1")) as session by id_client
| stats list(_raw) as raw list(ticket) as ticket by id_client session
| eval checked=if(mvfind(ticket,"2")=1,1,0)
| where checked > 0

how to follow events on a field with different value

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!