How do I filter a user based on the next action he...

bspier1 · ‎06-22-2016

In one event, I see that a search results with this following line: "SERIES". That line tells me that the user selected a specific series from a set of series .

In a following event, I can see if the user hit enter by the following "keyInfo=ENTER".

How do I filter all the searches that resulted with "SERIES" by whether or not the next "keyInfo=Enter" (Success) or whether it was keyInfo= anything else (failure)?

The tricky part here is that they are two separate events, and I want to filter the first event based on the second event (whether the first key hit was enter).

somesoni2 · ‎06-22-2016

You could use transaction/append-stats or simply stats to get that information for you, but it would be tough for us to suggest anything without looking at the events. Could you post some sample events and expected output?

bspier1 · ‎06-22-2016

I tried using the transaction command. I used startswith=”SERIES”
and endswith=”keyInfo” to create transactions that start with the selection of the series and end with the first keystroke.

| transaction startswith=”SERIES”
endswith=”keyInfo” |

But it's not showing any events. Any idea what I'm doing wrong?

somesoni2 · ‎06-22-2016

It tough to say anything without seeing how your events looks like.

woodcock · ‎06-22-2016

This is the approach:
https://answers.splunk.com/answers/314850/how-to-search-how-many-times-eventa-happens-within.html

Something like this:

basesearch that leaves just the 2 types of logs that need to be correlated 
| reverse | streamstats current=t count(eval(searchmatch(("SERIES"))) AS sessionID BY host
| eventstats count(eval(searchmatch("keyInfo=ENTER"))) AS hasENTER BY sessionID host
| search hasENTER>0

You may not need host or you may need to use a different discriminating field in its place.

How do I filter a user based on the next action he took?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!