find event that happens before another event only

Splunk_novice27 · ‎03-28-2013

I have two events that occur often

event A and event B are two different url's (both are different values stored in a field called url)

event A typically happens prior to event B. This is normal behavior and I'm not interested in it. What is anomalous is when the system hiccups and Event B occurs before Event A in time.

I'm looking for a search that will find when Event B happens before Event A.

Any guidance is greatly appreciated , thanks in advance.

martin_mueller · ‎03-28-2013

You could do something like this, assuming each event occurs at most once per session_id:

... | eval time_a = case(expression to determine if it's event A, _time) | eval time_b = case(expression to determine if it's event B, _time) | stats min(time_*) as time_* by session_id | where time_b < time_a

Splunk_novice27 · ‎03-28-2013

Yes I have what equates to a session_id, I think some type of transaction is definitely the way to go but am unsure.

alacercogitatus · ‎03-28-2013

any kind of session_id or transaction_id that would be used to correlate the events?

find event that happens before another event only

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor