topic Re: Combine two events which has unique field and get difference between those two events in Alerting

Combine two events which has unique field and get difference between those two events

vineela — Tue, 31 May 2022 06:14:58 GMT

Hi All, I haven3 events in splunk where there is one unique field in all the three events.
Here is the example:

[2022-05-10 23:17:23,049] [INFO ] [] [c.c.n.t.e.i.T.JmsMessageEventData] [] - channel="NPP_MPIR.CHANNEL", productVersion="1.3.1-0-1-404089bc7", uuid="3c78031b-12b3-4694-ab88-3a265bf8499e", eventDateTime="2022-05-10T23:17:23.049Z", severity="INFO", code="JmsMessageEventData", component="mq.listener", category="default", serviceName="Mandated Payment Initiation", eventName="MANDATED_PAYMENT_INITIATION.SERVICE_START", message="Mandated Payment Initiation Event", entityType="MSG", start="1652188643002", messageIdentification="CTBAAUSNXXX20220510020220510131721", queueManagerName="PGT201", queueManagerHostname="10.39.9.38",

Initial: [2022-05-10 23:17:24,425] [INFO ] [] [c.c.n.t.e.i.T.JmsMessageEventData] [] - eventDateTime="2022-05-10T23:17:24.425Z", severity="INFO", code="JmsMessageEventData", component="submission.sent", category="default", serviceName="Submission Service", eventName="PAYMENT_STATUS_REPORT.SENT", message="Customer initial status report sent to PAG", entityType="INSTR", externalSystem="PAG", start="1652188644418", stop="1652188644425", elapsed="7", exceptionInfo="null", messageIdentification="CTBAAUSNXXX20220510020220510131721", firstMessageTraceIdentification="2TDyn8AlRMud1mfUA49o6A"

Final: [2022-05-10 23:17:30,528] [INFO ] [] [c.c.n.t.e.i.T.JmsMessageEventData] [] - eventDateTime="2022-05-10T23:17:30.528Z", severity="INFO", code="JmsMessageEventData", component="submission.sent", category="default", serviceName="Submission Service", eventName="PAYMENT_STATUS_REPORT.SENT", message="Customer final status report sent to PAG", entityType="INSTR", externalSystem="PAG", start="1652188650520", stop="1652188650528", elapsed="8", exceptionInfo="null", messageIdentification="CTBAAUSNXXX20220510020220510131721", firstMessageTraceIdentification="2TDyn8AlRMud1mfUA49o6A",

These are the 3 events with unique field "messageIdentification", I need to combine 1 and 2 events and also 1 and 3 and get difference of time between them and calculate how much percentage of events are triggering in less than 15 sec and 30 sec.

I tried using transaction command but not able to fetch ..i think i am using it wrong.

Can anyone help me on the same.

Thanks in Advance.

Re: Combine two events which has unique field and get difference between those two events

ITWhisperer — Tue, 31 May 2022 06:46:55 GMT

Assuming the fields have already been extracted

| eval eventStart=if(eventName="MANDATED_PAYMENT_INITIATION.SERVICE_START",_time,null()) | eventstats values(eventStart) as eventStart by messageIdentification | eval initialTimeDiff=if(message="Customer initial status report sent to PAG", _time-eventStart, null()) | eval finalTimeDiff=if(message="Customer final status report sent to PAG", _time-eventStart, null()) | stats values(initialTimeDiff) as initialTimeDiff values(finalTimeDiff) as finalTimeDiff by messageIdentification

This will get you the time differences - I am not sure what you are looking in terms of percentages and the two boundaries - for example, do you mean percentage of initial differences less than 15 and percentage of final differences less than 30 or percentages of both being less than 15 and both being less than 30?

Re: Combine two events which has unique field and get difference between those two events

PickleRick — Tue, 31 May 2022 07:26:09 GMT

You can do a single huge ugly stats with evals but it's prettier to go with a solution similar to what @ITWhisperer 's started with. More or less something like this (assuming that you have one value per "type" of event):

<<your search>>
| eval starttime=if(eventName="MANDATED_PAYMENT_INITIATION.SERVICE_START",_time,null())
| eval initialtime=if(message="Customer initial status report sent to PAG",_time,null())
| eval finaltime=if(message="Customer final status report sent to PAG",_time,null())
| stats values(starttime) as starttime values(initialtime) as initialtime values(finaltime) as finaltime by messageIdentification
| eval initialduration=initialtime-starttime
| eval finalduration=finaltime-starttime

This way you have your duration times and can do aggregate summaries like counting and calculating percentages and so on.

Re: Combine two events which has unique field and get difference between those two events

vineela — Tue, 31 May 2022 07:34:08 GMT

Hi Both,

Thanks for your response.

But i am not able to get any results.

please find screenshot for reference.

Re: Combine two events which has unique field and get difference between those two events

ITWhisperer — Tue, 31 May 2022 07:42:01 GMT

Remove "stats count by eventName" - this is limiting the events to just two fields (count and eventName)

Re: Combine two events which has unique field and get difference between those two events

vineela — Tue, 31 May 2022 07:51:15 GMT

Still no luck

Re: Combine two events which has unique field and get difference between those two events

ITWhisperer — Tue, 31 May 2022 08:00:49 GMT

You need to go back a step - do you have a field called log? If not, you could do your rex against the _raw field (which is the default if no field is specified)

| rex "eventName=...

Re: Combine two events which has unique field and get difference between those two events

vineela — Fri, 03 Jun 2022 04:14:39 GMT

Hi Whisper,

Yes,i have log in my event and now am able to fetch events.and calculate time as well. But not able to calculate the initial percentage and final percentage as well. Can you please help me on the same.

Thanks in Advance.

Re: Combine two events which has unique field and get difference between those two events

ITWhisperer — Fri, 03 Jun 2022 05:28:05 GMT

What do you currently have? Please share the code in a code block </>