Hello all,
as the title indicates I'm looking for a way to identify when three events do not occur within a specified amount of time. I know that I can locate when two events do occur within a maximum time span by using a transaction.
index=myIndex username@domain.com OR *pictureOne.png*
| transaction tName startswith=username@domain.com endswith=*pictureOne.png* maxspan=1s
I'm still a bit of a Splunk noob so my approach to obtain the results I'm looking for is certainly naive (as well as doesn't work) but here's what I consider the best effort I've put forth so far.
[search index=myIndex username@domain.com OR *pictureOne.png* | transaction tNameOne startswith=username@domain.com endswith=*pictureOne.png* maxspan=1s] | stats count as one
[search index=myIndex username@domain.com OR *pictureTwo.png* | transaction tNameOne startswith=username@domain.com endswith=*pictureTwo.png* maxspan=1s] | stats count as two
| eval err=if(one==two, "No issue", "Issue present")
The idea was to check if the count of events returned by the two subsearchs match. For instance if my search is performed over a period of 24 hours, then the total number of times each image is associated with the specified username should match. Basically I'm running into an intermittent issue where one image is being requested and the other is not. I believe this should help identify effected users. It seems to me I have a few errors within the aforementioned query. Does everything have to be piped into each other? I was hoping I could define and alias some subsearchs and then evaluate the number of events returned. However, this does not seem to be the case. When that didn't work I figured I could just define some variables and set them to the result of the subsearches and evaluate if the event counts match. But I can't find any documentations on defining and setting variables. So I'm guessing that's not an option. Sorry for the sloppy naming convention within my query's and thanks in advance for any assistance I might receive.
... View more