Splunk Search

Identifying users with activity in two different time periods

jeffa
Path Finder

I'm trying to identify the source of a performance slow down that has occurred twice over the last two days. Each slow down occurred over a five minute period, once two days ago, once this morning (at different times of the day). I suspect some user activity, but have not been able to identify the particular user. I'd like to be able to narrow my search results to only users w/ activity during both time periods. The logs that I'm looking at have a "CustID" field. So, what I'd like to be able to do is something like...

sourcetype=MySourceType CustID="Any customer w/ activity in both time periods" ...

How would I go about this? Would it be possible to timechart the results and overlap the times?

Tags (2)
0 Karma
1 Solution

BobM
Builder

It is easy to set a subsearch as a filter without appending the results. So if you want to filter one search with another use somthing like this.

sourcetype=MySourceType CustID=* earliest=x latest=y [ search sourcetype=MySourceType CustID=* earliest=a latest=b | fields CustID ]

But because you want both sets of events you need to append them and filter afterwards.
I have created a new field evblock for each group of results and used eventstats to look for a range and filter on that.

sourcetype=MySourceType CustID=* earliest=x latest=y | eval evblock=1  | append
[ search sourcetype=MySourceType CustID=* earliest=a latest=b | eval evblock=2 ]
| eventstats range(evblock) as inBoth by CustID | where inBoth=1

If you want to overlap them in the timeline, you will have to add in an eval on _time for the subsearch. For example if the times are exactly a day offset.

| eval _time=_time-8640 

View solution in original post

BobM
Builder

It is easy to set a subsearch as a filter without appending the results. So if you want to filter one search with another use somthing like this.

sourcetype=MySourceType CustID=* earliest=x latest=y [ search sourcetype=MySourceType CustID=* earliest=a latest=b | fields CustID ]

But because you want both sets of events you need to append them and filter afterwards.
I have created a new field evblock for each group of results and used eventstats to look for a range and filter on that.

sourcetype=MySourceType CustID=* earliest=x latest=y | eval evblock=1  | append
[ search sourcetype=MySourceType CustID=* earliest=a latest=b | eval evblock=2 ]
| eventstats range(evblock) as inBoth by CustID | where inBoth=1

If you want to overlap them in the timeline, you will have to add in an eval on _time for the subsearch. For example if the times are exactly a day offset.

| eval _time=_time-8640 

I-Man
Communicator

I may be oversimplifying your question, but it seems like you could do something like this:

sourcetype=MySourceType CustID="*" earliest=07/20/2011:0:0:0 latest=07/20/2011:0:05:0 | timechart count by CustID

However, depending on how many users are active at that time, you could just run top to see who the top 10 are.

sourcetype=MySourceType CustID="*" earliest=07/20/2011:0:0:0 latest=07/20/2011:0:05:0 | top CustID

UPDATE
After re-reading, you can use append to compare the 2 times. When you graph it, use the Column chart type. Thats close to what your looking for.

sourcetype=MySourceType CustID="*" earliest=07/20/2011:0:0:0 latest=07/20/2011:0:05:0 | append [search ssourcetype=MySourceType CustID="*" earliest=07/19/2011:0:0:0 latest=07/19/2011:0:05:0] | timechart count by CustID
0 Karma

jeffa
Path Finder

That does get me all of the customer IDs that have logs in either the first time period, the second time period, or both time periods. But what I'm looking for is only search for CustIDs w/ logs in both time periods, therefore, not showing any CustIDs that only have logs in one time period or the other (but not both).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...