https://community.splunk.com/t5/Knowledge-Management/Search-driven-by-KVStore-parameters/m-p/335309#M2873 <P>@stephendavisWK, if your problem is resolved, please accept the answer.</P> Fri, 17 Nov 2017 21:59:28 GMT richgalloway 2017-11-17T21:59:28Z https://community.splunk.com/t5/Knowledge-Management/Search-driven-by-KVStore-parameters/m-p/335306#M2870 <P>I have a set of events similar to below and a working search for a single ID value of 133. My next step is to make the ID dynamic from a KVStore. My attempts so far have been unsuccessful and I could use some help. I am not even positive this is the right approach. </P> <P>This is for a custom app for internal use so options are wide open on how to best approach this.<BR /> Ideas?</P> <P>Events:<BR /> date time : Process Start for core instance ID: 133<BR /> date time : random message 1<BR /> date time : random message 5<BR /> date time : Process Ending ID: 133<BR /> date time : Process Start for core instance ID: 145<BR /> date time : random message 2<BR /> date time : random message 4<BR /> date time : random message 7<BR /> date time : Process Ending ID: 145<BR /> etc...</P> <P>Working search:<BR /> index=myindex source=mysource<BR /> [search index=myindex ("Process Start" AND "ID: 133") | head 1 | eval earliest=_time | table earliest] <BR /> [search index=myindex ("Process Ending" AND "ID: 133") | head 1 | eval latest=_time+1 | table latest] <BR /> | eval StatusCode=<BR /> if((like(_raw, "%Process Start%") AND like(_raw, "%ID: 133%")), 1, <BR /> if(like(_raw, "%Process Ending%"), 2, 0)) <BR /> | stats sum(StatusCode) as StatusCode, min(_time) as StartTime<BR /> | eval Started=if((StatusCode /1)&gt;=1,"Success","Fail") <BR /> | eval Finished=if((StatusCode /2)&gt;=1,"Success","Fail") <BR /> | eval Time=strftime(StartTime,"%c")<BR /> | table StartTime, evalVal1, evalVal2</P> <P>Desired Results:<BR /> ID StartTime Started Finished<BR /> 133 datetime Success Success<BR /> 145 datetime Success Fail</P> Tue, 29 Sep 2020 15:45:10 GMT https://community.splunk.com/t5/Knowledge-Management/Search-driven-by-KVStore-parameters/m-p/335306#M2870 stephendavisWK 2020-09-29T15:45:10Z https://community.splunk.com/t5/Knowledge-Management/Search-driven-by-KVStore-parameters/m-p/335307#M2871 <P>Correction: "| table StartTime, evalVal1, evalVal2" in working search should be "| table StartTime, Started, Finished"</P> Fri, 15 Sep 2017 14:05:28 GMT https://community.splunk.com/t5/Knowledge-Management/Search-driven-by-KVStore-parameters/m-p/335307#M2871 stephendavisWK 2017-09-15T14:05:28Z https://community.splunk.com/t5/Knowledge-Management/Search-driven-by-KVStore-parameters/m-p/335308#M2872 <P>The final solution involved writing a python script which pulled data from a kvstore. Then using these parameters performing additional searches to gather events. The events were then accumulated in a json result set and returned to the client.</P> Fri, 17 Nov 2017 19:47:21 GMT https://community.splunk.com/t5/Knowledge-Management/Search-driven-by-KVStore-parameters/m-p/335308#M2872 stephendavisWK 2017-11-17T19:47:21Z https://community.splunk.com/t5/Knowledge-Management/Search-driven-by-KVStore-parameters/m-p/335309#M2873 <P>@stephendavisWK, if your problem is resolved, please accept the answer.</P> Fri, 17 Nov 2017 21:59:28 GMT https://community.splunk.com/t5/Knowledge-Management/Search-driven-by-KVStore-parameters/m-p/335309#M2873 richgalloway 2017-11-17T21:59:28Z