(Using Splunk 6.1.2 for...reasons) Background: We send out a push notification to a third party. The third party sometimes responds quickly with a data pull for that event, and sometimes days later. The notifications are automatically extracted as the field "pushID" The data pulls are automatically extracted as the field "pullID" Several notifications and several extractions can occur for each event. To further complicate matters, there can be several irrelevant pullID events occurring before the relevant pushID event occurs. What I am needing to do is get the pushID event time that occurs before the very first pullID time following, and calculate the delay (in decimal hours - which makes it a tad bit easier). Up to this point, I have been using a memory hogging join subsearch on pullID for every stats earliest ( pushID ) and attempting to return the stats latest( pullID ) result. Unfortunately, this is not returning correct results - and I need help in building something leaner and more accurate. Sample Data (all from same host and source): Jan 18 21:23:32 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Jan 15 14:16:06 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Jan 15 14:16:05 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Jan 15 14:15:58 web event-server: EVENT_NOTIFICATION for pushID: ORG_12345_EVENT12345ABC1 Jan 15 14:14:11 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Jan 15 14:13:03 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Jan 15 14:13:02 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Jan 15 14:13:00 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Jan 15 14:12:35 web event-server: EVENT_NOTIFICATION for pushID: ORG_12345_EVENT12345ABC1 Jan 14 13:11:18 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Jan 14 13:11:18 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Jan 14 11:53:58 web event-server: Requesting pull event for pullID: ORG_12345_EVENT12345ABC1 Under my current code, the correct pushID time is returning (Jan 15 14:12:35) but the wrong pullID result is returned (Jan 18 21:23:32). Mostly complete code (minus some other evals for other things) below: host=web source=/var/log/messages earliest=01/14/2019:00:00:00 latest=01/20/2019:24:00:00 pushID!=NULL ...[other evals and rex here]... | stats earliest(_time) as pushTime by pushID | fields pushID pushTime | eval pullID=pushID | join pullID max=0 usetime=true earlier=false [search host=web source=/var/log/messages earliest=01/14/2019:00:00:00 latest=01/20/2019:24:00:00 | stats earliest(_time) as pullTime by pullID | fields pullID pullTime ] | eval delayTime=pullTime-pushTime | where delayTime > 0 ...[other evals here]... | eval delayHours = delayTime/3600 | table pushID pushTime pullID pullTime delayHours What am I doing wrong, and how can I fix it? Is there a much simpler and less expensive way to retrieve the correct results? (have tried transactions, selfjoins, subsearches without joins, appendcols, etc.) ... View more

Hi! I have spent a couple of days now hunting for an answer with similar issues, but I am no closer to finding a solution. The gist of it is that each org has several case files, and multiple documents within each case. I am trying to track the user accounts to see the volume of documents they are accessing. The information is kept in two separate log files: the user log output in userlog; and the request log accessible through access_combined. The request log doesn't store the user ID and the userlog doesn't store the document access, only the reference page with links. I have managed to get all the data I need, I just cannot get it to display correctly. The code I have so far to get the data is: sourcetype=userlog page='/cases/case_docs' userid=$userid$ earliest=-24h | rex field=url "(?<matchORG>J\d{6}J),(?<caseID>\d{5}\w{1,2})," max_match=0 | rex field=WebServiceHost "host=\'(?<host>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\'" | lookup orgName.csv ORGCODE as matchORG OUTPUT NAME | rename NAME as orgName | fields host userid orgName matchORG caseID | eval clientip = host | join clientip max=0 [search sourcetype=access_combined earliest=-24h | fields file clientip CASE_ID ORG_ID accessTime uri_path | where like(file,"%.pdf") | where like(uri_path,"%/service/document/%") ] | where match(CASE_ID,caseID) The fields... file uri_path CASE_ID ORG_ID ...are already predefined, extracted, and captured by Splunk. Where I am hitting a dead end is attempting to show the number of documents access by case file, and the overall documents accessed by organization. My desire is to have it show up as the Org Name, total document count, case ID, document count per case ID. Something like the image below: (Note: There is a typo in the table. JxxxxxxJ should instead be OrgA, OrgB, etc.) I have looked at options from other similar posts, but I just can't seem to get them work. And the one close to working, modifying the answer on a different similar question, only gives me partial results (but they all appear in the events tab): | stats count by orgName caseID | stats values(caseID) as Cases values(count) as CaseCount sum(count) as Total by orgName If anyone can point me in the right direction, it would be greatly appreciated. Also, any tips on streamlining this code would be appreciated as well. Addendum: Stuck at Splunk Enterprise 6.1.2 for...reasons. ... View more