topic Re: How can I combine the events to bring it back as 1 event or even for it to show just a list of fields? in Splunk Search

How can I combine the events to bring it back as 1 event or even for it to show just a list of fields?

Sfry1981 — Tue, 29 Sep 2020 20:01:17 GMT

I have a search like this where it brings back a history of an event based on the guid. The last event has the information about the error but the first event has the information about the ID of the user under a_tid. I have mapped out the searches below for info:

index=nameofindex Microservice "Instance errored"

This brings back the below event

a_time="2018-06-15 21:26:49,836", a_tid="(null)", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored"

Now if I search with the guid ID as per the below:

index=nameofindex a_rid="71111111-3be2-46ea-a91e-f635b785a750"

I get the below events:

a_time="2018-06-15 21:26:49,836", a_tid="(null)", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored"

a_time="2018-06-15 21:26:49,671", a_tid="10132", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_tid="00001" a_msg="Registering instance"

What I want to do is perform the first search but I want to pull through a list of the a_tid that has an ID like the above which shows 'a_tid="00001" '

Ideally I would like the event to show as the below:

a_time="2018-06-15 21:26:49,836", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored", a_tid="00001"

So the link is there on the event history but how can I combine the events to bring it back as 1 event or even for it to show just a list of a_tid?

Re: How can I combine the events to bring it back as 1 event or even for it to show just a list of fields?

Ayn — Sun, 17 Jun 2018 09:38:28 GMT

I would write a subsearch for retrieving all a_rid values for events with the "Instance errored" message, then either run transaction or stats for getting the desired results. I noticed you say you're searching for "Microservice" but the example event you show doesn't actually have that string in it - maybe you meant sourcetype=Microservice or something? I'm assuming this in my query below.

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | transaction a_rid | search a_tid=00001

...or similarly using stats, which is cheaper from a performance perspective:

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | stats values(a_tid) as a_tid by a_rid | search a_tid=00001

Re: How can I combine the events to bring it back as 1 event or even for it to show just a list of fields?

Sfry1981 — Sun, 17 Jun 2018 19:34:23 GMT

Thanks Ayn, Thats done the trick. This now gives me the next step to connect more dots as it was bugging me 🙂

Also like you say the transaction was too costly so went with the stats which was alot better

Re: How can I combine the events to bring it back as 1 event or even for it to show just a list of fields?

Ayn — Sun, 17 Jun 2018 21:55:08 GMT

Cool, there's also eventstats that does the same as stats but keeps all data from the original events, if that helps.