Splunk Search

find event that happens before another event only

Splunk_novice27
New Member

I have two events that occur often

event A and event B are two different url's (both are different values stored in a field called url)

event A typically happens prior to event B. This is normal behavior and I'm not interested in it. What is anomalous is when the system hiccups and Event B occurs before Event A in time.

I'm looking for a search that will find when Event B happens before Event A.

Any guidance is greatly appreciated , thanks in advance.

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could do something like this, assuming each event occurs at most once per session_id:

... | eval time_a = case(expression to determine if it's event A, _time) | eval time_b = case(expression to determine if it's event B, _time) | stats min(time_*) as time_* by session_id | where time_b < time_a
0 Karma

Splunk_novice27
New Member

Yes I have what equates to a session_id, I think some type of transaction is definitely the way to go but am unsure.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

any kind of session_id or transaction_id that would be used to correlate the events?

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...