- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I filter a user based on the next actio...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I filter a user based on the next action he took?
In one event, I see that a search results with this following line: "SERIES". That line tells me that the user selected a specific series from a set of series .
In a following event, I can see if the user hit enter by the following "keyInfo=ENTER".
How do I filter all the searches that resulted with "SERIES" by whether or not the next "keyInfo=Enter" (Success) or whether it was keyInfo= anything else (failure)?
The tricky part here is that they are two separate events, and I want to filter the first event based on the second event (whether the first key hit was enter).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use transaction/append-stats or simply stats to get that information for you, but it would be tough for us to suggest anything without looking at the events. Could you post some sample events and expected output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried using the transaction command. I used startswith=”SERIES”
and endswith=”keyInfo” to create transactions that start with the selection of the series and end with the first keystroke.
| transaction startswith=”SERIES”
endswith=”keyInfo” |
But it's not showing any events. Any idea what I'm doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It tough to say anything without seeing how your events looks like.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the approach:
https://answers.splunk.com/answers/314850/how-to-search-how-many-times-eventa-happens-within.html
Something like this:
basesearch that leaves just the 2 types of logs that need to be correlated
| reverse | streamstats current=t count(eval(searchmatch(("SERIES"))) AS sessionID BY host
| eventstats count(eval(searchmatch("keyInfo=ENTER"))) AS hasENTER BY sessionID host
| search hasENTER>0
You may not need host or you may need to use a different discriminating field in its place.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
