Solved: how to set time distance between operations in sea...

zoyaO · ‎10-09-2013

Hello!
i need to find clients who had operation "registration" and within 24 hours operation "payment"
how can I set the option for search, that one operation was less than 24 hours ago?

alacercogitatus · ‎10-09-2013

So here's a WAG. Search back 24 hours, transaction the events together using the keywords (I assumed these were in your data), and then filter out those with less than 2 events (registration and NOT payment within 24 hours).

your_search_terms earliest=-24h@h | transaction startswith="registration" endswith="payment" patient_id | where eventcount > 1

View solution in original post

alacercogitatus · ‎10-09-2013

So here's a WAG. Search back 24 hours, transaction the events together using the keywords (I assumed these were in your data), and then filter out those with less than 2 events (registration and NOT payment within 24 hours).

your_search_terms earliest=-24h@h | transaction startswith="registration" endswith="payment" patient_id | where eventcount > 1

dwaddle · ‎10-09-2013

then filter those other activities out as part of your base search... perhaps your_search_terms that alacer points out above should include "( registraton OR payment )".

alacercogitatus · ‎10-09-2013

your_search_terms "registration" OR "payment" | transaction startswith="registration" endswith="payment" patient_id | where duration < 86400 AND eventcount > 1

zoyaO · ‎10-09-2013

this is not exactly what I'm looking for. I need to find all the customers who have in their history activity "payment" less than 24 hours after the activity "registration". and between these events may be others events (eg change of email) which should not be considered.

how to set time distance between operations in search?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!