topic How to correlate the results of two searches? in Splunk Search

How to correlate the results of two searches?

sebasti1aan — Wed, 30 Mar 2022 17:04:56 GMT

Hi all,

We have two reverse proxies, one front, one back. They both log http requests and responses to the same index. Each request has a unique-ID that is the same on the front and back. I would like to correlate the front and back requests with the same unique-ID. So the two searches are something like this:

index=rpx proxy=front unique_id=* index=rpx proxy=back unique_id=*

Log lines would then look something like this (shortened for brevity):

proxy=front, unique_id=123456, time_taken=2ms proxy=back, unique_id=123456, time_taken=5ms

My goal is to have the delta time of the time_taken field and then display it in for instance a timechart avg. Maybe I should do the one search and correlate from the time_taken field from there?

Re: How to correlate the results of two searches

aasabatini — Wed, 30 Mar 2022 14:15:16 GMT

without a dataset it's little bit complicated but you have to use this logic

index=rpx unique_id=* proxy=front OR proxy=back | eval time_taken_back=if(proxy="back",time_taken,""), time_taken_front=if(proxy="front",time_taken,""),unique_id_back=if(proxy="back",unique_id,""), unique_id_front=if(proxy="front",unique_id,"") | eval delta=if(unique_id_back=unique_id_front,time_taken_back-time_taken_front,"") | stats values(delta) as delta by unique_id,_time

Re: How to correlate the results of two searches

sebasti1aan — Wed, 30 Mar 2022 16:11:20 GMT

Thanks I will try it out and report back 🙂