Finding next event where field is similar

obhatti · ‎11-11-2013

How do I find the next event where a field is repeated?

Scenario:

I have following fields in an index

And I want to find Type,Cause,Resolution for next event where the Account number is same.

obhatti · ‎11-11-2013

Sample:

For the above data, I want to see a output like this:

TIME|DATE|ACCOUNT|TYPE|CAUSE|RESOLUTION|NEXTTYPE|NEXTCAUSE|NEXTRESOLUTION|DURATION
07:04|10/08/2013|112233|Video|Error|Reset|Video|Conflict|TechCall|584min
16:48|10/08/2013|112233|Video|Conflict|TechCall||||
12:34|10/07/2013|121244|DOCSIS|Connection|Tech||||

NEXTTYPE, NEXTCAUSE, NEXTRESOLUTION, and DURATION should be blank if there are no next events.

kristian_kolb · ‎11-11-2013

Probably you should specify a few sample events. Is it only interesting to report if the events are sequential? How do you find the 'first' event (that you want to find a sequel to)?

Some commands that may prove useful (read up on them in the Search Reference manual;

dedup (possibly in conjunction with reverse)

stats functions like values() or list()

transaction on ACCOUNT

or a simple table, perhaps?

/K

yannK · ‎11-11-2013

look at transactions based on the "ACCOUNT" field. http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Transaction

* | transaction ACCOUNT

Or build a stats search grouping per Account.

* | stats values(_raw) by ACCOUNT

Or use subsearches and use the result as a condition for the main search.

mysearch1 [ search mysearch2 | dedup ACCOUNT | table ACCOUNT ]

jtrucks · ‎11-11-2013

Look into the map and transaction commands.

--
Jesse Trucks
Minister of Magic

Finding next event where field is similar

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases