Detect Two Events Occurring in Quick Succession

Detect event B occurring quickly after event A using the slidingTimeWindow() function

Query

logscale
head()
| slidingTimeWindow(
    [{event = "A" | count(event, as=countAs)}, selectLast(event)], 
    span=1s
  )
| countAs > 0
| event = "B"

Introduction

The slidingTimeWindow() function can be used to detect two events occurring in quick succession.

In this example, the slidingTimeWindow() function is used to detect event B occurring quickly after event A.

Note that the slidingTimeWindow() function must be used after an aggregator function to ensure event ordering. Also note that the events must be sorted in order by timestamp to prevent errors when running the query. It is possible to select any field to use as a timestamp.

Example incoming data might look like this:

@timestampevent
1451606300500A
1451606301000B
1451606302000A
1451606304000B

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> 3 3 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    head()

    Selects the oldest events ordered by time.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | slidingTimeWindow(
    [{event = "A" | count(event, as=countAs)}, selectLast(event)], 
    span=1s
  )

    Creates a sliding time window of 1 second. Within each window it counts the occurrences of event A, returning the results in a new field named countAs, and selects the event type of the last event in the window.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | countAs > 0

    Filters for windows where at least one event A occurred.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event = "B"

    Checks if the last event in the window is event B.

  6. Event Result set.

Summary and Results

The query is used to detect instances where event B occurs quickly (within 1 second) after event A. The span parameter configures the interval, allowing this to be customized.

Sample output from the incoming example data:

countAsevent@timestamp
1B1451606301000

The query is useful for identifying sequences of events that happen in quick succession, which could indicate specific patterns of behavior or system interactions.