Splunk: Find the difference between 2 events

1
votes

I have a server with 2 APIs: /migrate/start and /migrate/end

For each request, I log the userID (field usrid="") of the user using my service to be migrated and the api called (field api="").

Users call /migrate/start, then call /migrate/end. I would like to write a slunk query to list the userIDs that are being migrated, i.e. those that called /migrated/start but have yet to call /migrate/end. How would I write that query?

Thank you

2
splunksplunk-query

2 Answers

1
votes

Assuming you have only 2 api calls (start/end) in the logs, you can use a stats command to do this.

| your_search
| stats values(api) as api by usrid
| where api!="/migrate/end"

This clubs all api calls done per user and removes the ones which have called /migrate/end

1
votes

The general method is to get all the start and end events and match them up by user ID. Take the most recent event for each user and throw out the ones that are "migrate/end". What's left are all the in-progress migrations. Something like this:

index = foo (api="/migrate/start" OR api="/migrate/end") 
| stats latest(api) by usrid 
| where api="/migrate/start"