https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555578#M157722 <P>Hello Fo<SPAN>lks, </SPAN></P><P><SPAN>In my current use case i receive events with 3 fields as json .&nbsp;&nbsp;</SPAN></P><P>{ 'tid'<SPAN>'123',&nbsp;</SPAN><SPAN>' 'type': 'R',&nbsp;</SPAN><SPAN>'app_name': 'app-1'</SPAN><SPAN>}</SPAN></P><P><SPAN>Here app_name (app-1 to app-6) are micro services in which tid is generated by app-1 and passed on to other apps. </SPAN></P><P><SPAN>Each app generate 2 events - with type as R and D. </SPAN></P><P><SPAN>So for a transaction there will be 12 events with unique tid.&nbsp;</SPAN></P><P>I want generate a dashboard just out of time range the customer selects so that they get a tabular panel with below columns with the time the event was received.</P><P>tid | app-1 R | app-1 D | time took| •••• for each app-*</P><P>If I understand, I need to have 2 searches. (1) get unique tid in app-1 and (2) using the unique tid , search app events and form the above table&nbsp;</P><P>Can you pls help me to frame this query as I am stuck with append query.</P> Sun, 13 Jun 2021 04:03:26 GMT rangarbus 2021-06-13T04:03:26Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555578#M157722 <P>Hello Fo<SPAN>lks, </SPAN></P><P><SPAN>In my current use case i receive events with 3 fields as json .&nbsp;&nbsp;</SPAN></P><P>{ 'tid'<SPAN>'123',&nbsp;</SPAN><SPAN>' 'type': 'R',&nbsp;</SPAN><SPAN>'app_name': 'app-1'</SPAN><SPAN>}</SPAN></P><P><SPAN>Here app_name (app-1 to app-6) are micro services in which tid is generated by app-1 and passed on to other apps. </SPAN></P><P><SPAN>Each app generate 2 events - with type as R and D. </SPAN></P><P><SPAN>So for a transaction there will be 12 events with unique tid.&nbsp;</SPAN></P><P>I want generate a dashboard just out of time range the customer selects so that they get a tabular panel with below columns with the time the event was received.</P><P>tid | app-1 R | app-1 D | time took| •••• for each app-*</P><P>If I understand, I need to have 2 searches. (1) get unique tid in app-1 and (2) using the unique tid , search app events and form the above table&nbsp;</P><P>Can you pls help me to frame this query as I am stuck with append query.</P> Sun, 13 Jun 2021 04:03:26 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555578#M157722 rangarbus 2021-06-13T04:03:26Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555586#M157726 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226197">@rangarbus</a>&nbsp;</P><P>Please share some sample of multiple apps and the expected output from that sample events.</P><P>KV</P> Sun, 13 Jun 2021 07:02:34 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555586#M157726 kamlesh_vaghela 2021-06-13T07:02:34Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555595#M157728 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;</P><P>Example Events are as below.</P><P>There could be up to app-1 to app-6 (example here shows app-1 to app-3).</P><P><FONT size="2">{ "log_processed": { "app_name": "app-1", message: {"type":"R","bk":"Cust-1|Order-2"}, "tId": "f7ac16537e4e89d16c0f5b8c83bd45f2" }</FONT><BR /><FONT size="2">{ "log_processed": { "app_name": "app-1", message: {"type":"D","bk":"Cust-1|Order-2"}, "tId": "f7ac16537e4e89d16c0f5b8c83bd45f2" }</FONT><BR /><FONT size="2">{ "log_processed": { "app_name": "app-2", message: {"type":"R","bk":"Cust-1|Order-2"}, "tId": "f7ac16537e4e89d16c0f5b8c83bd45f2" }</FONT><BR /><FONT size="2">{ "log_processed": { "app_name": "app-2", message: {"type":"D","bk":"Cust-1|Order-2"}, "tId": "f7ac16537e4e89d16c0f5b8c83bd45f2" }</FONT><BR /><FONT size="2">{ "log_processed": { "app_name": "app-3", message: {"type":"R","bk":"Cust-1|Order-2|1"}, "tId": "f7ac16537e4e89d16c0f5b8c83bd45f2" }</FONT><BR /><FONT size="2">{ "log_processed": { "app_name": "app-3", message: {"type":"D","bk":"Cust-1|Order-2|1"}, "tId": "f7ac16537e4e89d16c0f5b8c83bd45f2" }</FONT></P><P>Here tId is same for all events. So we need to group all events&nbsp; by tId field and generate the dashboard below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rangarbus_0-1623600605836.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14613i41D166D61B417A8B/image-size/large?v=v2&amp;px=999" role="button" title="rangarbus_0-1623600605836.png" alt="rangarbus_0-1623600605836.png" /></span></P><P>&nbsp;</P> Mon, 14 Jun 2021 15:50:17 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555595#M157728 rangarbus 2021-06-14T15:50:17Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555676#M157753 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226197">@rangarbus</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">YOUR_SEARCH | rename log_processed.* as *, message.* as message_* | fields tId app_name message_bk message_type | stats max(eval(if(message_type="D",_time,null()))) as message_type_D min(eval(if(message_type="R",_time,null()))) as message_type_R by tId app_name | eval diff= message_type_D - message_type_R, app_name="app_name=".app_name.". Time took (Sec)" | chart values(diff) as diff over tId by app_name | addtotals</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval raw="{ \"log_processed\": { \"app_name\": \"app-1\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"app-1\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"app-2\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"app-2\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"app-3\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2|1\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"app-3\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2|1\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}", raw=split(raw,"@@") | mvexpand raw | rename raw as _raw | eval t= 1000 | accum t | eval _time=_time + t | fields - t | extract | rename log_processed.* as *, message.* as message_* | fields tId app_name message_bk message_type | stats max(eval(if(message_type="D",_time,null()))) as message_type_D min(eval(if(message_type="R",_time,null()))) as message_type_R by tId app_name | eval diff= message_type_D - message_type_R, app_name="app_name=".app_name.". Time took (Sec)" | chart values(diff) as diff over tId by app_name | addtotals</LI-CODE><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-06-14 at 9.58.41 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14623i05C0734B867CB12A/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2021-06-14 at 9.58.41 PM.png" alt="Screenshot 2021-06-14 at 9.58.41 PM.png" /></span></P><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. </P> Mon, 14 Jun 2021 16:28:56 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555676#M157753 kamlesh_vaghela 2021-06-14T16:28:56Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555728#M157766 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;. It worked.</P><P>Only follow-up question i have is whether it is possible to sort the app_name in a specific sequence on the dashboard. ?</P><P>app_name required on sequence as "Xerox, Printer, Copier, Marker"</P><P>With the current dashboard output the app_name are sorted as "Copier, Marker, Printer , Xerox"</P> Tue, 15 Jun 2021 07:02:34 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555728#M157766 rangarbus 2021-06-15T07:02:34Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555737#M157768 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226197">@rangarbus</a>&nbsp;</P><P>I think the same search will work..&nbsp;Can you please try this?</P><LI-CODE lang="markup">| makeresults | eval raw="{ \"log_processed\": { \"app_name\": \"Xerox\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"Xerox\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"Printer\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"Printer\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"Copier\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2|1\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"Copier\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2|1\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}", raw=split(raw,"@@") | mvexpand raw | rename raw as _raw | eval t= 1000 | accum t | eval _time=_time + t | fields - t | extract | rename log_processed.* as *, message.* as message_* | fields tId app_name message_bk message_type | stats max(eval(if(message_type="D",_time,null()))) as message_type_D min(eval(if(message_type="R",_time,null()))) as message_type_R by tId app_name | eval diff= message_type_D - message_type_R, app_name="app_name=".app_name.". Time took (Sec)" | chart values(diff) as diff over tId by app_name | addtotals</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Tue, 15 Jun 2021 07:43:13 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555737#M157768 kamlesh_vaghela 2021-06-15T07:43:13Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555824#M157814 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;.</P><P>I got the problem, the app_name are prefixed with static string "cs-" which cause the resulted columns to be sorted in asc order rather just following the event sequence.</P><LI-CODE lang="markup">| makeresults | eval raw="{ \"log_processed\": { \"app_name\": \"cs-xerox\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-xerox\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-printer\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-printer\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-copier\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2|1\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-copier\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2|1\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}", raw=split(raw,"@@") | mvexpand raw | rename raw as _raw | eval t= 1000 | accum t | eval _time=_time + t | fields - t | extract | rename log_processed.* as *, message.* as message_* | fields tId app_name message_bk message_type | stats max(eval(if(message_type="D",_time,null()))) as message_type_D min(eval(if(message_type="R",_time,null()))) as message_type_R by tId app_name | eval diff= message_type_D - message_type_R, app_name="app_name=".app_name.". Time took (Sec)" | chart values(diff) as diff over tId by app_name | addtotals</LI-CODE><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rangarbus_0-1623774048509.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14638i6A79A3F0A2904C71/image-size/large?v=v2&amp;px=999" role="button" title="rangarbus_0-1623774048509.png" alt="rangarbus_0-1623774048509.png" /></span></P><P>Ideally, the columns should have been <STRONG>tId, app_name=cs-xerox, app_name=cs-printer, app_name=cs-copier</STRONG> - just like the event sequence.</P> Tue, 15 Jun 2021 16:22:30 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555824#M157814 rangarbus 2021-06-15T16:22:30Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555836#M157823 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226197">@rangarbus</a>&nbsp;</P><P><SPAN>By default the fields are ordered alpha-numerically and field values do not override that default ordering.</SPAN></P><P><SPAN>But we can trick with some values.&nbsp;Can you please try this?<BR /></SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval raw="{ \"log_processed\": { \"app_name\": \"cs-xerox\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-xerox\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-printer\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-printer\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-copier\", \"message\": {\"type\":\"R\",\"bk\":\"Cust-1|Order-2|1\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}@@{ \"log_processed\": { \"app_name\": \"cs-copier\", \"message\": {\"type\":\"D\",\"bk\":\"Cust-1|Order-2|1\"}, \"tId\": \"f7ac16537e4e89d16c0f5b8c83bd45f2\" }}", raw=split(raw,"@@") | mvexpand raw | rename raw as _raw | eval t= 1000 | accum t | eval _time=_time + t | fields - t | extract | rename log_processed.* as *, message.* as message_* | fields tId app_name message_bk message_type | eval a=1 | accum a | stats max(eval(if(message_type="D",_time,null()))) as message_type_D min(eval(if(message_type="R",_time,null()))) as message_type_R max(a) as a by tId app_name | eval diff= message_type_D - message_type_R, app_name=(a/2)."_app_name=".app_name.". Time took (Sec)" | chart values(diff) as diff over tId by app_name</LI-CODE><P>&nbsp;</P><P><SPAN>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</SPAN></P> Tue, 15 Jun 2021 17:30:03 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555836#M157823 kamlesh_vaghela 2021-06-15T17:30:03Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555892#M157846 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>. It worked.. Really appreciate your quick help!</P> Wed, 16 Jun 2021 02:28:08 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555892#M157846 rangarbus 2021-06-16T02:28:08Z https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555896#M157847 <P>Glad to help you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226197">@rangarbus</a>&nbsp;</P><P>&nbsp;</P><P>Happy Splunking</P><P>&nbsp;</P> Wed, 16 Jun 2021 03:30:25 GMT https://community.splunk.com/t5/Splunk-Search/Append-search-result/m-p/555896#M157847 kamlesh_vaghela 2021-06-16T03:30:25Z