index=tbb sourcetype=tbb_server "No UserSession exists with the primary key"
|eval delta=_time/3|stats count as error_event_count by delta|fields delta error_event_count
| join delta
[search index=tbb sourcetype=access_combined logout|eval delta=_time/3|stats count as logout_event by delta|fields delta logout_event]
|table delta error_event_count logout_event
This event "No UserSession exists with the primary key" , i need to extract a delta of 3 seconds when the event happens from sourcetype=tbb_server and see if for that delta, i can find an event "logout" for sourcetype=access_combined
Get the first event count based on delta and table with the count of logout events.
I am trying to see if there is a one to one relation between the error and logout action. How can i do this with the subsearch please? My search above might be way off 🙂
I think you're pretty far off here.
eval delta=_time/3
says to take the _time value, which will be the number of seconds since 1970 (ie 1320916082), and divide it by 3. So those 'delta' values will look like "440305360.667".
Then the join
command will theoretically combine the events from each set that happen to have the exact same values for this field, which will only happen when there are events on each side that happened in the identical second.
Backing up a second, if you're trying to find instances where these two kinds of events occur within N seconds of eachother you might consider matching them with a simple OR command in the search,
index=tbb sourcetype=tbb_server ("No UserSession exists with the primary key" OR logout)
and then piping it to the transaction
command, using its startswith
, endswith
and maybe maxspan
arguments to group the raw events into little transactions and then after that doing something like | search duration<3
.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction