Solved: Similar events within 1s of each other?

HenrikN · ‎08-19-2021

I have logs like of this form:

[2021-08-19T13:59:05.607] [INFO] collect - [4a2b9170-0130-11ec-95b3-17c017e0ec5d] {"uid":967,"ec":"login","em":"Successful authentication with username: [test123] other data here..."

I would like to run a query that will show all the cases where "username: [specific user]" shows up within 1 second. So the two lines above would be a hit because the test123 appeared in two similar events 1ms apart.

I have gotten this far:

source="my.log" 
| rex field=_raw "Successful authentication with username: \[(?<username>.*)] " 
| streamstats count time_window=1s by username 
| where count > 1

But this doesn't take the value of username into account and returns all cases of "Successful authentication.." that happen to be within the same second. (Again I want that *only* if the username field is the same.)

Thanks!

- Henrik

ITWhisperer · ‎08-20-2021

Try this instead

source="my.log" 
| rex field=_raw "Successful authentication with username: \[(?<username>.*)] " 
| bin span=1s _time as second
| eventstats count by second username 
| where count > 1

View solution in original post

ITWhisperer · ‎08-20-2021

Try this instead

source="my.log" 
| rex field=_raw "Successful authentication with username: \[(?<username>.*)] " 
| bin span=1s _time as second
| eventstats count by second username 
| where count > 1

HenrikN · ‎08-23-2021

That worked great! Thank you so much for the fast reply!

- Henrik

Similar events within 1s of each other?

other

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!