topic Re: How to fetch and compare unique id's from different events in Splunk query in Splunk Search

How to fetch and compare unique id's from different events in Splunk query

rkishoreqa — Wed, 01 Sep 2021 16:44:10 GMT

Hi team,

I am creating a query to fetch a unique id from different events which are having different statuses. If two log events are having same unique id and with status="START" & status="END" then that application has completed 1 success iteration or else it should be error.

I created one query can't understand how to compare the 'correlationId' from different events. Can anyone please help with the query to compare the 'correlationId' from different events along with below query.

>> index="dev" | rex "\"Status\\\\\"\s:\s\\\\\"(?<Status>[^\\\]+)" | stats count by applicationName,Status|where Status in("START","END")

Below are the logs for 'Start' & 'End' events.

log: [2021-09-01 04:14:10.216] INFO api [[PythonRuntime].uber.12772: [tyt-autoencoding-dev].get-terms-from-oc/processors/1.ps.BLOCKING @f089563] [event: 80961137-6734-4f7f-8750-3d27cdf2a4eb]: {
"correlationId" : "80961137-6734-4f7f-8750-3d27cdf2a4eb",
"Status" : "START",
"priority" : "INFO",
"category" : "com.tayota.api",
"elapsed" : 0,
"timestamp" : "2021-09-01T04:14:10.215Z",
"applicationName" : "Toyato Encoding API",
"applicationVersion" : "v1",
"environment" : "Development",
}

log: [2021-09-01 04:14:10.216] INFO api [[PythonRuntime].uber.12772: [tyt-autoencoding-dev].get-terms-from-oc/processors/1.ps.BLOCKING @f089563] [event: 80961137-6734-4f7f-8750-3d27cdf2a4eb]: {
"correlationId" : "80961137-6734-4f7f-8750-3d27cdf2a4eb",
"Status" : "END",
"priority" : "INFO",
"category" : "com.tayota.api",
"elapsed" : 0,
"timestamp" : "2021-09-01T04:14:10.215Z",
"applicationName" : "Toyato Encoding API",
"applicationVersion" : "v1",
"environment" : "Development",
}

Thanks in advance.

Re: How to fetch and compare unique id's from different events in Splunk query

ITWhisperer — Wed, 01 Sep 2021 20:47:34 GMT

If you have correlation id extracted, you can do stats by correlation id to correlate events

Re: How to fetch and compare unique id's from different events in Splunk query

rkishoreqa — Thu, 02 Sep 2021 10:06:20 GMT

I can able to query the 'correlationId' and do stats on it. But how can I match these 'correlationId's which are having 'START' and 'END' status.

Re: How to fetch and compare unique id's from different events in Splunk query

rkishoreqa — Thu, 02 Sep 2021 15:21:27 GMT

In other words,
App : A1
Status : Start
correlationID : "80961137-6734-4f7f-8750-3d27cdf2a4eb"

App: A2
Status: Start
correlationID : "64531137-6734-4f7f-8750-3d27cdf2a4qq",

App: A2
Status: End
correlationID : "64531137-6734-4f7f-8750-3d27cdf2a4qq",

App : A1
Status : Start
correlationID : "80961137-6734-4f7f-8750-3d27cdf2a4eb"

Here the Apps A1,A2 having same correlationID's along with status 'START' & 'END; then we should consider it as 1 successful instance completed.
Otherwise we need mark it as 1 failed instance.
Here I need the suggestion to build the query for this requirement.

Re: How to fetch and compare unique id's from different events in Splunk query

ITWhisperer — Fri, 03 Sep 2021 11:16:05 GMT

| stats values(Status) as Status by correlationId