How to filter logs based on event A occurring but not event B

Follow
Avatar
Piyush Gupta
  • Edited

Suppose I have the following log


userA - eventA

userA - eventB

userA - eventA



userB - eventA

userB - eventA

userB - eventA

 

My Goal is to filter out users who have had an eventA but not eventB. So in this case, userB should get filtered out.

Any idea how I can do that?

0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Shobhit Garg

    Hi Piyush,

    You have not mentioned the timerange, but what you can make a query like below, here the assumption is that EventA will always happen. I mean there wont be a case where eventB happens but eventA wont.

    User1   Event1
    userA - eventA
    userA - eventB
    userA - eventA

    userB - eventA
    userB - eventA
    userB - eventA

    Lets say have you have parsed User1 and Event1 fields like above

    | count by user1, event1

    | count by user1

    | where _count=1

    Thanks,

    Shobhit

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post