Thanks for this, it now runs but the time picker is overriding the time ranges set for the "Stop" and "Portal" events, so if I select yesterday (15th Aug) only events that occurred on the 15th for all three types are returned (see my update below). Any ideas as I'm out of them now. Thanks ... View more

I have looked at this but it won't work for my use case as I am passing the query to Splunk via the js stack from a third party application. Thanks ... View more

Thanks for this. I seem to be getting an error when I try and run this search it says: Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side. Am I missing something? Thanks in advance ... View more

Thanks for this, I'll give it a try. I'm also looking at the time modifiers on my 3 event based searches to restrict it this way. I'd like the time-modifier for the start events (date range A) to be driven from the time picker but I would like the date ranges for Stop &Portal events to start 1 day prior to and end 1 day after the time-picker date range. So for example if the 2nd Aug is picked on the time-picker to return start events I'd like to apply the date range 1st Aug - 3rd Aug for the Stop & Portal events. I've played around with relative time modifiers but haven't yet successfully managed to get them to be related to the time-picker. Any ideas? Thanks again index=50 (type="Start" AND termination_cause!="Resumed" {date range A}) OR (type="Stop" AND termination_cause!="Suspect-Logout" {date-range B}) OR (type="Portal" view="PortalView_Process_*" {date range C}) ... View more

I've tried multi-search and this didn't seem to give anything over different to the above. Thanks ... View more

Thanks for your response, very much appreciated and this has solved a number of the problems I was having, in particular the sub-search truncation issue. I've included the actual query below that I am now using based upon your answer. I hope you don't mind but I have a couple of other points I'm now trying to clear up and wondered if you could point me in the right direction? The initial search now has the 3 event types with some hard-coded date-time ranges. I need to get the following functionality probably using relative time modifiers. selection of start events (type="Start") needs to be driven from the time picker which in-turn drives the selection of the remaining 2 event types. The stop events (type="Stop") require a time range with the same starting point the same as the start events and an end point finishing 2 days after the end point of the start events. The portal events are a tricky as they could be generated at any-point in the last 1-3 years hence why I'm using earliest=1. This relates to the speed of the query which is being hindered by the fact that a Portal type event, which contains the contextual data, can be created at any-point in time. Some of the indexes that I am running this query against are small (<20,000 portal events) and so the query is pretty quick (circa 1-2 seconds) but some indexes are large (circa 0.75 million events) and consequently the the query is taking around 30-40 seconds. Essentially I would like to return the most recent Portal event for all device_mac_addresses where there is a start event. Is there a more efficient way of doing this that will correlate the events within the initial search? Many thanks in advance index=50 (type="Start" AND termination_cause!="Resumed" earliest=1502233200 latest=1502319600) OR (type="Stop" AND termination_cause!="Suspect-Logout" earliest=1502233200 latest=1502492400) OR (type="Portal" view="PortalView_Process_*" earliest=1 latest=1502492400) |rename COMMENT as "rename a select required fields" | rename user_agent.Browser as browser_type, user_agent.Device_Type as device_type | fields _time, type, device_mac_address, session_id, browser_type, device_type | rename COMMENT as "Get only the most recent event Start and Stop records, keeping all Portal events." | dedup type, device_mac_address, session_id keepempty=t | rename COMMENT as "Get only the most recent Portal events for each device, keeping any records that aren't Portal events." | eval killme=if(type="Portal","Y",null()) | dedup killme device_mac_address keepempty=t | rename COMMENT as "copy the contextual data to all records with that deviceID then delete the event C" | eventstats max(browser_type) as browser_type, max(device_type) as device_type, max(portal_event_data) as event_data by device_mac_address | rename COMMENT as "Remove potral events." | where isnull(killme) | rename COMMENT as "Extract data from common fields." | eval session_start_time_unix=if(type="Start",_time,"") | eval session_stop_time_unix=if(type="Stop",_time,"") | eval session_start_time=strftime(session_start_time_unix,"%Y/%m/%d %H:%M:%S") | eval session_stop_time=strftime(session_stop_time_unix,"%Y/%m/%d %H:%M:%S") | rename COMMENT as "Join start and stop events based upon device_mac_address and session_id." | stats max(session_start_time) as session_start_time, max(session_stop_time) as session_stop_time, max(browser_type) as browser_type, max(device_type) as device_type, max(event_data) as event_data by device_mac_address, session_id | rename COMMENT as "Calculate session status and delete stop events where no start event exists." | eval session_status=case( isnull(session_start_time) AND isnotnull(session_stop_time),"Delete", isnull(session_stop_time),"Open", 1=1,"Closed" ) | where session_status!="Delete" | rename COMMENT as "Format data for presentation purposes." | sort device_mac_address, session_start_time, session_stop_time | streamstats count as row_no | table row_no, device_mac_address, session_id, session_start_time, session_stop_time, browser_type, device_type, session_status ... View more