topic Re: How to do postprocessing without a join? in Splunk Search

How to do postprocessing without a join?

Mohsin123 — Sat, 28 Jul 2018 10:50:06 GMT

index=abc caller-id IN ("8179f4c86", "926bbcf8957a") component=Chatbot

| join transaction id 
    [ search index=pqr component=$MSComp$
    logpoint=response-out (status="ok" OR status="error" OR status="failure" OR status="timeout")] 
| timechart span=$span$ count(eval(status="ok")) as Success count(eval(status="error")) as Error ,count(status) as total 
| eval Success=round((Success/total)*100,2) 
| eval Error=round((Error/total)*100,2) 
| eval failure=100-(Success+Error) 
| fields _time, failure ,Error,Success

I have lots of panels where this join is made.
Please help me with postprocessing without a join.

condition is : transaction -ids for the caller-ids in abc index is ame as  transaction-ids in index pqr

Re: How to do postprocessing without a join?

gcusello — Sat, 28 Jul 2018 14:34:54 GMT

Hi shraddhamuduli
sometimes you can replace join or transaction with stats command, try something like this:

(index=abc (caller-id="8179f4c86" OR caller-id="926bbcf8957a") component=Chatbot)
OR (index=pqr component=$MSComp$ logpoint=response-out (status="ok" OR status="error" OR status="failure" OR status="timeout"))
| bin _time span=$span$
| stats values(status) AS status BYtransaction-id _time
| timechart  count(eval(status="ok")) as Success count(eval(status="error")) as Error count(status) as total 
| eval Success=round((Success/total)*100,2) 
| eval Error=round((Error/total)*100,2) 
| eval failure=100-(Success+Error) 
| fields _time failure Error Success

Bye.
Giuseppe

Re: How to do postprocessing without a join?

Mohsin123 — Sat, 28 Jul 2018 17:49:05 GMT

Thanks
Just one concern :

The OR will give results belonging to caller-id in index=abc + the results belonging to index=pqr

here pqr might contain data belonging to other caller-ids as well

The flow is like

the data belonging to caller-ids in first index and the data belonging to same caller-id belonging to 2nd index is same on the basis of transaction id

the caller-id value changes when the data flows from index abc to index pqr

note, pqr is the 2nd layer(or entry point) to index layer abc

Re: How to do postprocessing without a join?

woodcock — Sat, 28 Jul 2018 17:51:10 GMT

Are you saying that the first search is your base search and the rest of your stuff below is your post-process search and furthermore that you have many panels with similar post-process searches which all start with the same |join []? If so, why not move the join to the base search?