https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100644#M21077 <P>I have a script which sends individual events into Splunk, each event is essentially a report on a HTTP Request, either GET or POST. The event contains a number of fields but two key ones are StepName and Timing:</P> <OL> <LI>StepName will be a title for the HTTPRequest etc. PostLogin</LI> <LI>Timing will be a int value of the milliseconds taken by HttpRequest</LI> </OL> <P>I'm writing a report which shows the average time taken for each step over last 15 minutes. However, from an end users point of view, some steps are part of one process e.g.</P> <OL> <LI>Step1 - GetLoginPage</LI> <LI>Step2 - PostLoginPage</LI> <LI>Step3 - ProcessUserDetails</LI> <LI>Step4 - GetHomePage</LI> </OL> <P>In this case Step2 and Step3 would be one process for an end user, therefore I'd like to be able to report on these as if they were one step so the following:</P> <HR /> <P>GetLoginPage 50<BR /><BR /> PostLoginPage 100<BR /><BR /> ProcessUserDetails 250<BR /><BR /> GetHomePage 80</P> <HR /> <P>would become</P> <HR /> <P>GetLoginPage 50<BR /><BR /> PostLoginPage 350<BR /><BR /> GetHomePage 80</P> <HR /> <P>I can use a replace on the StepName so I have </P> <HR /> <P>GetLoginPage 50<BR /><BR /> PostLoginPage 100<BR /><BR /> PostLoginPage 250<BR /><BR /> GetHomePage 80</P> <HR /> <P>How can I then merge these results so it summates the two PostLoginPage steps and then gives me an average over the time period for the three individual steps? </P> <P>Note each step has a field called TransactionGUID which associates a group of steps for the same execution.</P> Wed, 24 Oct 2012 09:21:31 GMT paddy3883 2012-10-24T09:21:31Z https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100644#M21077 <P>I have a script which sends individual events into Splunk, each event is essentially a report on a HTTP Request, either GET or POST. The event contains a number of fields but two key ones are StepName and Timing:</P> <OL> <LI>StepName will be a title for the HTTPRequest etc. PostLogin</LI> <LI>Timing will be a int value of the milliseconds taken by HttpRequest</LI> </OL> <P>I'm writing a report which shows the average time taken for each step over last 15 minutes. However, from an end users point of view, some steps are part of one process e.g.</P> <OL> <LI>Step1 - GetLoginPage</LI> <LI>Step2 - PostLoginPage</LI> <LI>Step3 - ProcessUserDetails</LI> <LI>Step4 - GetHomePage</LI> </OL> <P>In this case Step2 and Step3 would be one process for an end user, therefore I'd like to be able to report on these as if they were one step so the following:</P> <HR /> <P>GetLoginPage 50<BR /><BR /> PostLoginPage 100<BR /><BR /> ProcessUserDetails 250<BR /><BR /> GetHomePage 80</P> <HR /> <P>would become</P> <HR /> <P>GetLoginPage 50<BR /><BR /> PostLoginPage 350<BR /><BR /> GetHomePage 80</P> <HR /> <P>I can use a replace on the StepName so I have </P> <HR /> <P>GetLoginPage 50<BR /><BR /> PostLoginPage 100<BR /><BR /> PostLoginPage 250<BR /><BR /> GetHomePage 80</P> <HR /> <P>How can I then merge these results so it summates the two PostLoginPage steps and then gives me an average over the time period for the three individual steps? </P> <P>Note each step has a field called TransactionGUID which associates a group of steps for the same execution.</P> Wed, 24 Oct 2012 09:21:31 GMT https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100644#M21077 paddy3883 2012-10-24T09:21:31Z https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100645#M21078 <P>I would suggest searching the documentation for eval(case). I had a similar issue and this was a suitable workaround. If you need any more help, let me know <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 24 Oct 2012 10:32:24 GMT https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100645#M21078 watsm10 2012-10-24T10:32:24Z https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100646#M21079 <P>so.. eval StepName = case(HTTPRequest="GetLoginPage","GetLoginPage",(HTTPRequest="PostLoginPage" and HTTPRequest="ProcessUserDetails"),"PostLoginPage",HTTPRequest="GetHomePage","GetHomePage") </P> <P>so it's case(name of fields you wish to rename/combine,"new name",name of fields you wish to rename/combine,"new name".......)</P> Wed, 24 Oct 2012 10:38:18 GMT https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100646#M21079 watsm10 2012-10-24T10:38:18Z https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100647#M21080 <P>Hello,</P> <PRE><CODE>your_search | replace "ProcessUserDetails" with "PostLoginPage" in StepName | chart sum(exec_time) over TransactionGUID by StepName | stats avg(GetLoginPage) avg(PostLoginPage) avg(GetHomePage) </CODE></PRE> <P>is one way to do it. <CODE>exec_time</CODE> would be the field where the execution time is stored.</P> <P>Hope this helps,</P> <P>Kristian</P> Wed, 24 Oct 2012 11:59:19 GMT https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100647#M21080 kristian_kolb 2012-10-24T11:59:19Z https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100648#M21081 <P>Thanks, I have found a way to do it not too disimilar to this so thanks for feedback.</P> Wed, 24 Oct 2012 12:13:28 GMT https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100648#M21081 paddy3883 2012-10-24T12:13:28Z https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100649#M21082 <P>Thanks, I was able to use the eval for this purpose and work into a solution</P> Wed, 24 Oct 2012 12:13:53 GMT https://community.splunk.com/t5/Getting-Data-In/Merging-Associated-Events/m-p/100649#M21082 paddy3883 2012-10-24T12:13:53Z