topic Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results? in Splunk Search

How do we fetch events after getting stats on the events , and we have no more of the events in the results?

rohanmiskin — Tue, 29 Sep 2020 23:01:21 GMT

Hi,

I'm trying to filter on the logs of spring boot application.
I want to calculate the time that a POST request takes.
The search query im trying is

index="xyz" correlationid="1234"| stats values(correlationid) min(_time) AS start max(_time) AS end | eval duration=end-start

Here, I manually search for the events which are POST requests, then I get the correlation ID of that request, and use it in the query.

The reason why im directly not using the string "POST" is that there are other logs too that get generated after a POST request is made till the POST returns status as successful. SO I have to consider all those events. Is there a way to search the correlation ID from all the events and then use the obtained correlation ID to fetch all the events with that correlation ID?

Example of logs
10.30 2019 | 1234 | POST /data
10.31 2019 | 1234 | data verified
10.32 2019 | 1234 | successfully posted data

I need the duration 10.32-10.30=0.02

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

chrisyounger — Wed, 30 Jan 2019 20:22:09 GMT

Hi @rohanmiskin

You are on the right track but I think this is what you need to do:

index="xyz" correlationid="1234"| stats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start

If that doesn't work for you, you can look into using the transaction command but that has some performance implications. https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction

All the best, Chris.

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

woodcock — Wed, 30 Jan 2019 20:54:00 GMT

The answer to your question as you have literally asked it, just change stats into eventstats.

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

rohanmiskin — Tue, 29 Sep 2020 23:01:32 GMT

Is there a way where i can fetch the correlation ids first and store them in a variable and use the variable in the query.
for example a variable 'a' contains the index and correlationid details:
a=(index="xyz" "POST /data" | stats values(correlationid) by index)
Then use this in the actual query
index="xyz" correlationid=a.get_correlationid| stats values(correlationid) min(_time) AS start max(_time) AS end | eval duration=end-start

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

rohanmiskin — Tue, 29 Sep 2020 23:01:34 GMT

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

chrisyounger — Thu, 31 Jan 2019 01:44:37 GMT

I am not sure what you mean but this may do it: index="xyz" | eventstats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start | search "POST /data"

index="xyz" | eventstats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start | search "POST /data" | table *

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

rohanmiskin — Thu, 31 Jan 2019 05:30:56 GMT

@chrisyoungerjds . This was what i wanted. Thank you very much :).

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

chrisyounger — Thu, 31 Jan 2019 05:34:27 GMT

Great to hear.