Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Traer001
Traer001
Path Finder
Member since:
03-29-2021
08-28-2021
Community Statistics
| Posts | 38 |
| Solutions | 2 |
| Karma Given | 7 |
| Karma Received | 2 |
| Member Since | 03-29-2021 |
Activity Feed
- Posted Re: How do I join a search on a field that is not unique to compare time values? on Splunk Search. 08-28-2021 07:42 AM
- Posted Re: How do I join a search on a field that is not unique to compare time values? on Splunk Search. 08-27-2021 12:48 PM
- Posted Re: How do I join a search on a field that is not unique to compare time values? on Splunk Search. 08-27-2021 11:49 AM
- Posted How do I join a search on a field that is not unique to compare time values? on Splunk Search. 08-27-2021 09:53 AM
- Got Karma for How to Extract Any Values With a Decimal in my Rex String. 07-21-2021 10:59 AM
- Posted How To Pass Parameters to Saved Search Using Splunklib on Splunk Search. 06-24-2021 02:25 PM
- Posted Re: How to separate sets of information with same field values without using transaction on Splunk Search. 06-22-2021 10:11 AM
- Posted How to separate sets of information with same field values without using transaction on Splunk Search. 06-21-2021 02:49 PM
- Posted Re: How to find duration of repeating events on Splunk Search. 06-18-2021 06:03 AM
- Posted How to find duration of repeating events on Splunk Search. 06-17-2021 11:29 AM
- Posted Re: How to keep results with a count of 0 on Splunk Search. 06-17-2021 06:57 AM
- Karma Re: How to keep results with a count of 0 for bowesmana. 06-17-2021 06:57 AM
- Posted How to keep results with a count of 0 on Splunk Search. 06-16-2021 03:06 PM
- Posted How to join two searches on a common field and include instances that don't overlap on Splunk Search. 06-15-2021 09:41 AM
- Posted How can I join results from one search to another based on time durations? on Splunk Search. 06-14-2021 12:51 PM
- Posted How to Extract Any Values With a Decimal in my Rex String on Splunk Search. 06-11-2021 02:37 PM
- Karma Re: How to Keep Fields from Becoming Multivalued for venkatasri. 06-09-2021 05:43 AM
- Posted Re: How to Get An Event from Within a Transaction on Splunk Search. 06-08-2021 02:59 PM
- Posted How to Keep Fields from Becoming Multivalued on Splunk Search. 06-08-2021 02:56 PM
- Posted How to Get An Event from Within a Transaction on Splunk Search. 06-08-2021 09:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
08-28-2021
07:42 AM
Yes @richgalloway , I got that result as well. But the thing is, with the data I have in the example there should be 3 results, not just one. I'm not sure how to get all of the results with the appropriate info.
... View more
06-24-2021
02:25 PM
Hello, Does anyone know how to pass parameters to a saved search using the splunklib for the Splunk API? I am able to use it to get results from my saved searches, but now I would like to be able to pass a variable value to my saved search. I've seen a few examples of people using the "curl" approach, but I wanted to see if there was a way to do this by directly using the splunklib for Python. This is the snippet of code where I retrieve my saved search and then run it. number_of_users = 10 search_name = "Find Most Recent Users" mysavedsearch = service.saved_searches[search_name] job = mysavedsearch.dispatch() So if I have a saved search named: Find Most Recent Users And that search looks like: "index=INDEX host=HOST sourcetype=SOURCETYPE | rex field=_raw "User:(?<user_id>\d+) | where isnotnull(user_id) | head $number_of_users$" How would I pass the variable "number_of_users" into the above?
... View more
Labels
- Labels:
-
other
06-22-2021
11:49 AM
Assuming that the error isn't actually fixed until the Automatic Success message, try this | makeresults
| eval _raw="2021-06-21 16:36:14 Error Fix Success for issue submitted by user:14
2021-06-21 16:35:22 Error Found for Users:12,13,14
2021-06-21 16:22:35 Error Fix Automatic Success for issue submitted by user:34
2021-06-21 16:22:35 Error Fix Success for issue submitted by user:34
2021-06-21 16:21:11 Error Fix Automatic Success for issue submitted by user:19
2021-06-21 16:21:11 Error Fix Success for issue submitted by user:19
2021-06-21 16:20:43 Error Found for Users:15,19,22,23
2021-06-21 16:07:38 Error Fix Automatic Success for issue submitted by user:14
2021-06-21 16:07:38 Error Fix Success for issue submitted by user:14
2021-06-21 16:05:51 Error Found for Users:34,1,18
2021-06-21 16:04:38 Error Fix Automatic Failure
2021-06-21 16:04:38 Error Fix Success for issue submitted by user:14
2021-06-21 16:04:11 Error Found for Users:12,13,14"
| multikv noheader=t
| fields _raw
| eval _time=strptime(_raw,"%Y-%m-%d %H:%M:%S")
| rex field=_raw "Error\sFound\sfor\sUsers:(?<users>.+)"
| rex field=_raw "Error\sFix\sAutomatic\sSuccess\sfor\sissue\ssubmitted\sby\suser:(?<submitted_by_user>\d+)"
| where isnotnull(users) or isnotnull(submitted_by_user)
| eval error_end=if(isnull(submitted_by_user),null(),_time)
| eval error_start=if(isnull(users),null(),_time)
| sort 0 _time
| eval user=split(users,",")
| mvexpand user
| eval user=coalesce(submitted_by_user,user)
| streamstats latest(error_start) as error_start latest(users) as users by user
| fieldformat error_end=strftime(error_end,"%Y-%m-%d %H:%M:%S")
| fieldformat error_start=strftime(error_start,"%Y-%m-%d %H:%M:%S")
| where isnotnull(error_end)
| eval duration=error_end-error_start
| eval users_involved=split(users, ",")
| eval user_count=mvcount(users_involved)
| table users_involved, user_count, submitted_by_user, error_start, error_end, duration
... View more
06-18-2021
06:03 AM
Hi @bowesmana , Yeah, there isn't anything to make those final success/fail messages unique unfortunately. The general pattern is that there needs to be an initial "Error Found" message, an "Error Resolve Success" message after that, and ending with either a "Status Success" or "Status Failed" message. If the ending status is "Failed", the "Error Resolve Success" and "Status" messages may repeat like shown. Generally, the "Status" messages will occur at the same time as the "Resolve Success" messages or within a second. So in this case, the "Failed" message at 13:13:15 does not correlate to the "Error Found" message at 13:13:14 because there hasn't been an "Error Resolve Success" message between them.
... View more
06-17-2021
06:57 AM
Thank you! This worked perfectly. I'm also making the changes you recommended. I'm not too familiar with what can optimize these searches, so this was helpful!
... View more
06-15-2021
09:41 AM
Hello, I have one search where I am finding inventory details for items going into carts and another search for cart status. The two searches have one common field (named differently in each) for the cart location and I am trying to join them to show how many inventory items have been put into each cart and when the last item was put into the cart. Both searches have the same index, host and sourcetype. My search currently looks like this. It's in the works, but I'm stuck. I want it to also show carts that have not had any inventory put into it yet and count the items for each cart (even if it's zero). How can I rewrite this to show the info I want? index=INDEX host=HOSTNAME sourcetype=SOURCETYPE | rex field=_raw "Cart:\s(?<cart_id>\d+)\sbegin" | rex field=_raw "Cart:\s(?<cart_id>\d+)\sselect\snew\ssection:\s(?<section>\d+)" | rex field=_raw "Cart:\s(?<cart_id>\d+)\sset\scurrent\slocation:\s(?<section_name>\w+-\d+)" | rex field=_raw "Cart:\s(?<cart_id>\d+)\snext\slocation\sis:(?<section_name>\w+-\d+)" | rex field=_raw "Cart:\s(?<cart_id>\d+)\sset\scurrent\slocation:\s\w+-(?<section_number>\d+)" | rex field=_raw "Cart:\s(?<cart_id>\d+)\snext\slocation\sis:\w+-(?<section_number>\d+)" | eval select_time=if(like(_raw, "%select new section%"), _time, null) | eval selected_at=strftime(select_time, "%Y-%m-%d %H:%M:%S") | eval start_time=if(like(_raw, "%begin%"), _time, null) | eval set_time=if(like(_raw, "%set current location%"), _time, null) | eval next_loc_time=if(like(_raw, "%next location%"), _time, null) | where isnotnull(cart_id) and ((like(_raw, "%set current location%") and like(section_name, "AA%")) or like(_raw, "%begin%") or (like(_raw, "%select new section%"))) | eventstats latest(section) as section_id latest(section_name) as section_name latest(section_number) as section_number latest(selected_at) as selected_at by cart_id | where isnotnull(section_name) and (100<=section_id and section_id<=300) | join type=outer left=L right=R where L.section_number=R.new_loc [search index=INDEX host=HOSTNAME sourcetype=SOURCETYPE | rex field=_raw "Move\sItem-(?<item>\w+\-\d+\-\d+\-\d+)\sfrom\sBin-(?<bin_id>\d+)-(?<slot_number>\d+)\sto\sAA-(?<new_loc>\d+)" | where isnotnull(item) | eval moved_at=strftime(_time, "%Y-%m-%d %H:%M:%S") | table item, bin_id, slot_number, new_loc, moved_at] | rename L.cart_id as cart_id, L.section_number as section_number, R.new_loc as new_loc, L.section_name as section_name, R.bin_id as bin_id, R.moved_at as moved_at | table cart_id, new_loc, section_number, section_name, bin_id, moved_at
... View more
06-14-2021
12:51 PM
Hello all, I have two searches. One is for finding session info/durations and the other is for finding error info/durations. I want to combine the session IDs to my error info table based on whether the error occurred during that session. So for instance, if I have something like this for my session data: 2021-06-14 14:45:12 UserId:123 Session 3 begin 2021-06-14 14:43:43 UserId:123 Session 2 end 2021-06-14 14:40:01 UserId:123 Session 2 begin 2021-06-14 14:33:10 UserId:123 Session 1 end 2021-06-14 14:25:44 UserId:123 Session 1 begin And I have something like this for my error data: 2021-06-14 14:30:12 UserId:123 Error finish 2021-06-14 14:28:43 UserId:123 Error start I would want to include session ID 1 to my error info table because an error happened during that session. I currently have a search like this, but it is not working how I want it to. How might I be able to rewrite this to show what I want? Also, if I wanted to just find the next session transaction after the end of an error, how can I do that? index=INDEX host=HOSTNAME sourcetype=SOURCETYPE | rex field=_raw "UserId:(?<user_id>\d+)" | transaction user_id startswith="start" endswith="finish" | where user_id<2000 | eval start=_time | eval finish=_time+duration | eval error_duration=tostring(duration, "duration") | eval error_start=strftime(start, "%Y-%m-%d %H:%M:%S") | eval error_end=strftime(finish, "%Y-%m-%d %H:%M:%S") | join user_id [search index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO | rex field=_raw "UserId:(?<user_id>\d+)\sSession\s(?<session_id>\d+)" | sort 0 user_id session_id -_time | transaction user_id session_id maxpause=5m endswith="end" | eval begin=_time | eval end=_time+duration | where user_id<2000 | eval duration=tostring(duration, "duration") | table user_id, begin, end, duration, session_id] | where start>=begin and finish<=end | table user_id, session_id, error_start, error_end, error_duration
... View more
Labels
- Labels:
-
eval
-
join
-
table
-
transaction
06-11-2021
03:18 PM
| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[\d\.\-]+)\s(?<y_coord>[\d\.\-]+)"
... View more
06-08-2021
09:26 PM
1 Karma
Hi @Traer001 The data looks like it shall group by user_id, session_id. Try | transaction user_id session_id with additional args (maxspan, maxpause, startswith ends*) that you require. Do not set mvlist=true for your case. If you can share the SPL that would help to troubleshoot in case above recommendation doesn't work. ------------ An upvote would be appreciated if it helps!
... View more
06-08-2021
02:59 PM
I managed to solve my issue by using filldown prior to the transaction: index=INDEX host=HOST sourcetype=SOURCETYPE earliest=-1d@d latest=now | rex field=_raw "UserId:(?<user_id>\d+)\sSession\scomplete" | rex field=_raw "UserId:(?<user_id>\d+)\sStart\ssession" | rex field=_raw "UserId:(?<user_id>\d+)\sChoose\slocation\sfor\ssession:(?<session_id>\d+)" | where user_id<3000 | sort 0 user_id _time | filldown session_id | sort 0 user_id -_time | transaction user_id startswith="Choose" endswith="complete"
... View more
06-01-2021
10:20 PM
You probably should try two transaction commands in sequence, with different constraints. The first one will collect all the reserve events with the same user_id and loc, but will not add events to the transaction if they occurred more than 5 minutes away from any other event. You use maxpause instead of maxspan. You probably need to keep evicted and orphaned transactions so all events are still available for the second transaction. For the first transaction we only want "Reserve" events to be merged. The second transaction merges the "Leave" and "Reserve" events | transaction user_id loc action startswith="Reserve" endswith="Reserve" maxpause=5m keepevicted=true keeporphans=true | transaction user_id loc startswith="Reserve" endswith="Leave" maxevents=2 The maxevents=2 is important so that the Reserve events > 5 minutes early, that were separated out by the first transaction, don't get added back into the second transaction.
... View more
05-27-2021
11:56 AM
Hello, I have events that look like this: 2021-05-27 14:33:44 UserId:123 Begin Fix for Issue:4354657687 <-- extra/delayed event logged after fix 2021-05-27 14:33:43 UserId:123 Fix Success! 2021-05-27 14:33:01 UserId:123 Begin Fix for Issue:4354657687 2021-05-27 14:32:32 UserId:123 Begin Fix for Issue:4354657687 2021-05-27 14:32:08 UserId:123 Begin Fix for Issue:4354657687 2021-05-27 14:31:47 UserId:123 Fix Success! 2021-05-27 14:31:25 UserId:123 Begin Fix for Issue:4353228391 I am making a search to return instances where a new issue has started but has not yet been fixed. If I grab the latest event and it begins with "Begin Fix" I am currently taking that and using it to calculate the duration where an issue is considered "ongoing". However, in some cases, my events occur so that there is an extra event with the same issue id that occurs AFTER the fix has occurred. How should I go about this to only grab the latest event if its issue id has not been fixed yet?
... View more
Labels
- Labels:
-
eval
-
field extraction
-
rex
-
stats
05-21-2021
06:41 PM
If I understand the question correctly, you have a group of actors, some locations, and two cancelling acts. You want to capture the events in which the act is not cancelled out by a subsequent act. The concept is eventstats. To apply it, I want to differentiate between the actual application and the algorithm somewhat. In the application you described, if users are real persons (who cannot be in two rooms at the same time), all you need to do is to count whether actions against a room is even or odd. But if I just wanted to answer the question as you described: whether a user entered a room and hasn't exited. Assuming each event contains three fields, room, action, and userID, where action enumerates into "Exit" or "Go to". This is a proof of concept: | eventstats count latest(_time) as lastact by room action userID
| eval exitcount = if(action == "Exit", count, 0), gotocount = if(action != "Exit", count, 0)
| where gotocount > exitcount AND _time == lastact
| fields - count, exitcount, gotocount, lastact To test this, I use the following to generate an event sequence. | makeresults count=30
| streamstats count
| eval _time = now() + count * 30, userID = 120 + random() % 3, action = if(count % 2 == 0, "Exit", "Go to"), room = 23 + (random() % 4)
| fields - count Sample vents can look like _time action room userID 2021-05-22 01:31:07 Go to 23 122 2021-05-22 01:31:37 Exit 23 122 2021-05-22 01:32:07 Go to 23 120 2021-05-22 01:32:37 Exit 24 122 2021-05-22 01:33:07 Go to 23 120 2021-05-22 01:33:37 Exit 23 120 2021-05-22 01:34:07 Go to 23 122 2021-05-22 01:34:37 Exit 25 122 2021-05-22 01:35:07 Go to 26 121 (Obviously because I'm assigning actions randomly, data will look like a bunch of drunk ghosts.) If I put the event generator and the PoC code together, | makeresults count=30
| streamstats count
| eval _time = now() + count * 30, userID = 120 + random() % 3, action = if(count % 2 == 0, "Exit", "Go to"), room = 23 + (random() % 4)
| fields - count
| eventstats count latest(_time) as lastact by room action userID
| eval exitcount = if(action == "Exit", count, 0), gotocount = if(action != "Exit", count, 0)
| where gotocount > exitcount AND _time == lastact
| fields - count, exitcount, gotocount, lastact it will capture the unbalanced last act: _time action userID room 2021-05-22 00:52:50 Go to 25 122 2021-05-22 00:54:50 Go to 23 120 2021-05-22 00:56:50 Go to 25 121 2021-05-22 00:59:50 Go to 24 120 2021-05-22 01:00:50 Go to 26 121 2021-05-22 01:02:50 Go to 25 120 2021-05-22 01:03:50 Go to 23 121 2021-05-22 01:04:50 Go to 26 120 2021-05-22 01:05:50 Go to 24 121 (Because the generator is random, these results are not based on the sample given above.) Cancelling acts are probably not what you are really after. But I think you can use eventstats to do the math you needed.
... View more
05-11-2021
07:16 AM
| makeresults
| eval _raw="2021-05-11 09:18:13 ItemId:R231-1993 Moved to Location:M45-1
2021-05-11 09:16:48 ItemId:R231-1993 Retrieved from Location:T97-1
2021-05-11 09:16:17 ItemId:R231-1993 is active
2021-05-11 09:15:02 ItemId:R231-1993 is active
2021-05-11 09:14:13 ItemId:R231-1993 is active
2021-05-11 07:56:12 ItemId:R231-1993 Moved to Location:T97-1
2021-05-11 07:54:23 ItemId:R231-1993 is active
2021-05-11 07:53:41 ItemId:R231-1993 Retrieved from Location:D14-2
2021-05-11 07:52:13 ItemId:R231-1993 is active
2021-05-11 07:51:39 ItemId:R231-1993 is active"
| multikv noheader=t
| fields _raw
| rex "Retrieved from Location:(?<location>.+)"
| filldown
... View more
04-29-2021
02:09 PM
1 Karma
Thank you for the reply! Unfortunately this solution did not work for me. However, it did remind me of an idea to try. Instead of going straight into the transaction after sorting, I did a reverse time sort and then used streamstats to count the different actions (Notification vs. Response) in order, resetting the count when the action changed. Then I reversed the time sort again and was able to retrieve the earliest events for each stream of actions. Using that I was able to get the accurate transaction results. The query is below. index=INDEX host=HOSTNAME sourcetype=SOURCETYPE | rex field=_raw "Notification\sReceived\s\[User\sId:(?<user_id>\d+),\slocation:\w+,\slocation id:\w+\]" | rex field=_raw "Response\sSent\sfor\suser\sid:(?<user_id>\d+)" | eval action=if(like(_raw, "%Response%"), 1, 0) | where user_id<2000 | sort 0 user_id, _time | streamstats count as count_value by user_id action reset_on_change=true | where count_value=1 | sort 0 user_id, -_time | transaction user_id startswith="Notification" endswith="Response" | where duration>0 | rename _time as message_arrival | eval message_arrived_at=strftime(message_arrival, "%Y-%m-%d %H:%M:%S") | eval response_sent_at=strftime(message_arrival + duration, "%Y-%m-%d %H:%M:%S") | table user_id, message_arrived_at, response_sent_at, duration
... View more
04-27-2021
12:17 PM
Hello, thank you for the response but it does not appear to be getting what I need. I need to be able to grab the "Complete" message and the earliest "Begin" message with the same time value as the "Begin" messages leading up to the "Complete" message. I added a table command (| table user_id, time_value, begin, complete, duration) to the query you posted, but it doesn't show the correct "begin" and "complete" values.
... View more
04-23-2021
02:08 PM
Hello! I am trying to group my log entries based on very specific criteria but can't seem to figure out how to do so. I have logs like this: 2021-04-23 16:47:26 User Id: 6211 Error Resolved 2021-04-23 16:47:25 Error[0] type 800 2021-04-23 16:47:25 User Id: 2345 Error Resolved 2021-04-23 16:47:23 Error[0] Error Response {"user_id":2345, "error_id":9101, ..............etc} 2021-04-23 16:47:23 Error[0] type 800 2021-04-23 16:47:22 Error[0] Error Response {"user_id":6211, "error_id":9100, ..............etc} 2021-04-23 16:47:22 Error[0] type 800 I am trying to get three events in my transactions: (1) the initial error type message, (2) the error response details, and (3) the error resolved message. However, I need the error response details and the error resolved message to contain the same user id. I currently have my query set up like this: index=INDEX host=HOSTNAME sourcetype=SOURCETYPE | rex field=_raw "Error\[0\]\stype\s(?<error_code>\d+)" | rex field=_raw "User\sId:(?<user_id>\d+)\sError\sResolved" | rex field=_raw "Error\[0\]\sError\sResponse\s{\"user_id\":(?<user_id>\d+)" | where user_id<20000 or error_code=800 | transaction startswith="Error[0] type 800" endswith="User Id:" I'm lost on how to make sure that the transaction retrieves only the events where the user id of the error response details matches the error resolved message. Any ideas?
... View more
Labels
- Labels:
-
fields
-
transaction
04-19-2021
08:18 AM
1 Karma
Use outer join to count errors of either type by user_id and filter for when no errors have been found in the second search index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_ONE |
rex field=_raw "User:\s(?<user_id>\d+)\sLocation:\s(?<loc>\w+)\sLocation\sId:\s(?<loc_id>\d+)" |
where user_id < 5000 |
table user_id, loc, loc_id, _time |
join type=outer user_id [search
index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO |
rex field=_raw "User:\s(?<user_id>\d+)\sError:\s(?<error_type>\w+)\sOccurred" |
rex field=_raw "User:\s(?<user_id>\d+)\sError\sId:\s(?<error_id>\d+)" |
where user_id < 5000 |
eval error=coalesce(error_id, error_type) |
stats count(eval(isnotnull(error))) by user_id |
where count > 0
] |
where isnull(count) |
table user_id, loc, loc_id, _time
... View more
04-06-2021
07:33 AM
1 Karma
| makeresults | eval _raw="2021-04-05 14:34:23 Node 123 selected for User 1
2021-04-05 14:34:17 User 1 released Node 118
2021-04-05 14:34:11 Node 123 selected for User 1
2021-04-05 14:34:05 Node 118 selected for User 1
2021-04-05 14:33:46 Node 118 selected for User 1
2021-04-05 14:33:29 User 1 released Node 103
2021-04-05 14:33:23 Node 118 selected for User 1
2021-04-05 14:33:21 Node 103 selected for User 1
2021-04-05 14:33:08 User 1 released Node 118
2021-04-05 14:33:02 Node 103 selected for User 1
2021-04-05 14:32:53 Node 118 selected for User 1"
| multikv noheader=t
| eval _time=strptime(_raw,"%Y-%m-%d %H:%M:%S")
| rex field=_raw "Node\s(?<node>\d+)\sselected\sfor\sUser\s(?<user_id>\d+)"
| rex field=_raw "User\s(?<user_id>\d+)\sreleased\sNode\s(?<node>\d+)"
| fields _time node user_id
| sort _time
| where isnotnull(node)
| eval selectedat=if(match(_raw,"selected"),_time,null)
| eval releasedat=if(match(_raw,"released"),_time,null)
| sort user_id node -_time
| streamstats min(releasedat) as releasedat by node user_id
| stats min(selectedat) as selectedat by node user_id releasedat
| fieldformat releasedat=strftime(releasedat,"%Y-%m-%d %H:%M:%S")
| fieldformat selectedat=strftime(selectedat,"%Y-%m-%d %H:%M:%S")
... View more
04-04-2021
01:11 PM
@Traer001 Is the second search expected to return more than one event? If yes, you'll need reduce the results to one _time value, e.g.: | tstats latest(_time) as latest_time where index=INDEX host=HOSTNAME sourcetype=SECOND_SOURCETYPE After that, you can plug this into your base search: index=INDEX host=HOSTNAME sourcetype=FIRST_SOURCETYPE [| tstats latest(_time) as latest_time where index=INDEX host=HOSTNAME sourcetype=SECOND_SOURCETYPE ] | rex field=_raw "User:\s(?<user_id>\d+)\s\(LeaveRoom\):\s(?<room_id>\d+)" ... The inner search produces one event with one field, latest_time. The result of the subsearch is inserted into the parent search as a set of predicates, e.g.: index=INDEX host=HOSTNAME sourcetype=FIRST_SOURCETYPE ( latest_time=1617567041 )
... View more
04-02-2021
04:27 PM
1 Karma
Hi @Traer001, You can try with transaction command; index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "User:\s(?<user_id>\d+)"
| rex field=_raw "(?<error_type>\w+)\sError"
| rex field=_raw "(?<error_type>\w+)\serror\sid:\s(?<error_id>\d+)"
| sort - _time
| transation user_id startswith="Happens" endswith="Recover"
| table _time duration user_id error_type error_id
... View more
03-30-2021
08:42 PM
1 Karma
See this example - I added a second user as your original query would not have worked with more than a single user id. | makeresults
| eval x="2021-03-30 13:23:42 User: 1 Chooses To Go To Room #4!!!2021-03-30 13:23:22 User: 1 Chooses To Go To Room #4!!!2021-03-30 13:23:22 User: 2 Chooses To Go To Room #77!!!2021-03-30 13:23:05 User: 1 Chooses To Go To Room #4!!!2021-03-30 13:22:47 User: 1 Chooses To Go To Room #4!!!2021-03-30 13:22:33 User: 1 Leaves Room #12!!!2021-03-30 13:22:19 User: 1 Chooses To Go To Room #12!!!2021-03-30 13:22:19 User: 2 Chooses To Go To Room #77!!!2021-03-30 13:22:09 User: 1 Chooses To Go To Room #12!!!2021-03-30 13:21:58 User: 1 Leaves Room #4!!!2021-03-30 13:21:43 User: 1 Chooses To Go To Room #4"
| makemv delim="!!!" x
| mvexpand x
| eval _time=strptime(x, "%F %T")
| rename x as _raw
| rex field=_raw "User:\s(?<user_id>\d+)\sLeaves\sRoom\s\#(?<room_id>\d+)"
| rex field=_raw "User:\s(?<user_id>\d+)\sChooses\sTo\sGo\sTo\sRoom\s\#(?<room_id>\d+)"
| eval action=if(like(_raw, "%Chooses%"), "Choose", null)
| where isnotnull(action)
| fields - _raw
| sort user_id _time
| eventstats latest(room_id) as latest_room by user_id
| streamstats count as count_value by user_id room_id reset_on_change=true
| where room_id=latest_room AND count_value=1
| stats latest(_time) as _time by user_id room_id This is sorting user_id and time, so that the sorted list has all rows for the same user sorted in descending time order. streamstats will then always set the first value for that room/user as count=1, so that's always the first entry to the room then check for count=1 to get the first entry to a room and it's the last time value (i.e. latest) which will be the first entry to the room at the start of a sequence.
... View more
03-29-2021
11:29 PM
| sort eventtype _time
| streamstats count(eval(message="Something is Broken")) as breaks by eventtype
| where breaks > 1
... View more
03-29-2021
08:30 PM
1 Karma
@Traer001 See this example, where I have used your data and added in another user id to help demonstrate things | makeresults
| eval x="2021-03-29 13:29:44 User: 2 (LeaveRoom): 230###2021-03-29 13:29:40 User: 2 Choose To Go To Room 212###2021-03-29 13:29:36 User: 2 (LeaveRoom): 245###2021-03-29 13:29:35 User: 3 (LeaveRoom): 123###2021-03-29 13:29:32 User: 2 Choose To Go To Room 230###2021-03-29 13:29:31 User: 3 Choose To Go To Room 444###2021-03-29 13:29:28 User: 2 Choose To Go To Room 245###2021-03-29 13:29:22 User: 3 Choose To Go To Room 123"
| makemv delim="###" x
| mvexpand x
| rename x as _raw
| eval _time=strptime(_raw, "%F %T")
| rex field=_raw "User:\s(?<user_id>\d+)\s(?<action>[^\d]+)\s(?<room_id>\d+)"
| stats latest(_time) as _time earliest(_time) as earliest values(action) as actions by room_id user_id
| where mvcount(actions)=2
| stats latest(room_id) as room_id latest(_time) as left latest(earliest) as entered by user_id You can paste this search into a Splunk search bar to see the results. The lines up to the first 'rex' statement are setting up the data, but then rex gets the user, action (enter/leave) and room id stats collects the times and actions for each user/room where statement checks for two actions (must be enter AND leave) final stats will show you the results for user id 2 and 3 to see the data remove all lines after mvexpand and you can see the data it is working with Using dedup is not something to use and you can't use where to check things as your row will not contain both rooms until you have performed some stats aggregation. Hope this helps
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-28-2021
11:02 AM
|
