topic Re: Group events based on order of occurance of the events in Dashboards & Visualizations

Group events based on order of occurance of the events

Souradip11 — Fri, 12 Dec 2025 06:27:46 GMT

Hello Splunkers,

Is it possible to group events based on a sequence.

Event 1 - request , request_id 123

Event 2 - response , 200

Event 3 - request , request_id 456

Event 4 - response , 400

For each request I want first occured response to be group together

Group 1-

(Event 1 - request , request_id 123

Event 2 - response , 200)

Group 2-

( Event 3 - request , request_id 456

Event 4 - response , 400)

Note:- request_id is not logged in response.

My actual expectation here is to get the response for each request id .

Re: Group events based on order of occurance of the events

gcusello — Fri, 12 Dec 2025 08:07:49 GMT

Hi @Souradip11 ,

even if request_id isn't available in events, is there something else to correlate events?

could you share a sample of your four types of logs?

Ciao.

Giuseppe

Re: Group events based on order of occurance of the events

ITWhisperer — Fri, 12 Dec 2025 08:49:24 GMT

Assuming the event type has been extracted to a field called "type", and your events have been sorted into chronological order, you could do something along these lines

| streamstats count as event_number by type | stats list(_raw) as raw_events by event_number

Re: Group events based on order of occurance of the events

PickleRick — Fri, 12 Dec 2025 09:17:50 GMT

The answer to your question depends greatly on what you mean by "group". Do you just want to sort the events in the even list? Or do you want to do some summarization and gather all fields from both request and response into a single result? Is there any field by which you can correlate a request with a response?

Re: Group events based on order of occurance of the events

Souradip11 — Fri, 12 Dec 2025 10:41:38 GMT

Hi @gcusello ,

There is no such information in the response that could corelate to respective request. Only thing mentioned is that there can't be a parallel request. Request can be made only if the response of previous request is received.

Re: Group events based on order of occurance of the events

Souradip11 — Fri, 12 Dec 2025 10:59:38 GMT

Hi @PickleRick

I want to get the response code for each request id .

Re: Group events based on order of occurance of the events

ITWhisperer — Fri, 12 Dec 2025 11:14:12 GMT

Assuming you have fields event_type (all events), request_id (just request events) and response_code (just response events), and your events are in reverse chronological order, then you could do this

| filldown response_code | where event_type="request"

To be honest, all this is theoretical - if you want more salient advice, I suggest you post some representative sanitised sample events so we can see what you are dealing with.

Re: Group events based on order of occurance of the events

PickleRick — Fri, 12 Dec 2025 14:11:41 GMT

Then all you can rely on is the event order. But this obviously raises questions about abnormal situations (like whether/how the source side handles error situations - does it just drop a request or does it reissue one?).

Generally, you can use filldown (or streamstats) to populate a field based on a previous event's value like it's been already shown in this thread. Just remember that Splunk by default returns events in reverse chronological order. So if you want to rely on a request being _before_ the response, you need to resort your results to have older ones first.

Re: Group events based on order of occurance of the events

gcusello — Mon, 15 Dec 2025 07:55:03 GMT

Hi @Souradip11 ,

in this case, you should try using the transaction command using the startswith and endswith options to correlate events, for more details see at

https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchReference/Transaction

https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Abouttransactions

https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Searchfortransactions

Ciao.

Giuseppe