Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search how many times EventA happens within 72 hours after EventB?

Amohlmann
Communicator
‎09-30-2015 07:12 PM

I would like to find out how often a type of message is displayed after an update.
The data I am looking at displays an upgrade message when a site updates their software.
I would like to know how often a particular type of event happens after 3 days of an update (so how many times this event happens between the upgrade date and 72 hours later).
I mainly want to find ones where the event count is 0

What I have so far is like this:

basesearch that leaves just upgrades and the events I want to count
| transaction Message startswith=latest(Upgrade) by SITE_ID maxpause=72h

Example of some events

SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Update
SITE_ID=456 Message=Trigger1
SITE_ID=123 Message=Trigger1
SITE_ID=456 Message=Update
SITE_ID=456 Message=Trigger1

For this Example, I want it to spit out and tell me that SITE_ID 123 had 1 trigger after their latest update and SITE_ID 456 also had 1 trigger after their update.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-30-2015 08:49 PM

This should work:

basesearch that leaves just upgrades and the events I want to count 
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-30-2015 08:49 PM

This should work:

basesearch that leaves just upgrades and the events I want to count 
| reverse | streamstats current=t count(Upgrade) AS sessionID BY SITE_ID
| streamstats current=t first(_time) AS startTime by sessionID SITE_ID
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID
Reply
Solved! Jump to solution

Amohlmann
Communicator
‎10-13-2015 05:14 PM

I do not understand what the:
(eval((_time - startTime) > 259200))

Is doing in the line:
| stats first(_time) AS upgradeTime count(eval((_time - startTime) > 259200)) AS count by sessionID SITE_ID

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-14-2015 08:00 AM

The (eval((_time - startTime) > 259200)) is checking whether each event is within 72 hours (equivalent to 259200 seconds), which is what you said you need.

0 Karma
Reply
Solved! Jump to solution

Amohlmann
Communicator
‎09-30-2015 11:03 PM

What does the sessionID part of this do?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-14-2015 07:58 AM

The sessionID part creates a way to group the events that are related to (come after and inbetween) Upgrade events.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-30-2015 07:40 PM

Can you provide some sample events??

0 Karma
Reply
Solved! Jump to solution

Amohlmann
Communicator
‎09-30-2015 08:16 PM

I dummied up some example sample events.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...