In one event, I see that a search results with this following line: "SERIES". That line tells me that the user selected a specific series from a set of series .
In a following event, I can see if the user hit enter by the following "keyInfo=ENTER".
How do I filter all the searches that resulted with "SERIES" by whether or not the next "keyInfo=Enter" (Success) or whether it was keyInfo= anything else (failure)?
The tricky part here is that they are two separate events, and I want to filter the first event based on the second event (whether the first key hit was enter).
You could use transaction/append-stats or simply stats to get that information for you, but it would be tough for us to suggest anything without looking at the events. Could you post some sample events and expected output?
I tried using the transaction command. I used startswith=”SERIES”
and endswith=”keyInfo” to create transactions that start with the selection of the series and end with the first keystroke.
| transaction startswith=”SERIES”
endswith=”keyInfo” |
But it's not showing any events. Any idea what I'm doing wrong?
It tough to say anything without seeing how your events looks like.
This is the approach:
https://answers.splunk.com/answers/314850/how-to-search-how-many-times-eventa-happens-within.html
Something like this:
basesearch that leaves just the 2 types of logs that need to be correlated
| reverse | streamstats current=t count(eval(searchmatch(("SERIES"))) AS sessionID BY host
| eventstats count(eval(searchmatch("keyInfo=ENTER"))) AS hasENTER BY sessionID host
| search hasENTER>0
You may not need host
or you may need to use a different discriminating field in its place.