topic Re: Splunk Query in Splunk Search

Events are getting matched, but why don't I see any table with messageid and timediff?

amitrinx — Fri, 27 Jan 2023 19:37:07 GMT

I have 2 events having fields
1. id_cse_event: sqsmessageid,timestamp
2. Scim: sqs_message_id, timestamp.

I want to search all the messages published by id_cse_events in scim using messageid, then find the difference between the time stamps

This is the query i have wrote:
sourcetype=id-cse-events
| where isnotnull(sqsMessageId)
| eval sqsmsgid=sqsMessageId
| eval id_cse_time=timeStamp
| table sqsmsgid, id_cse_time
| map
[search sourcetype=scim |fields line.message.sqs_message_id, line.timestamp|search line.message.sqs_message_id="$sqsmsgid$"
| eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S") ]maxsearches=9999
| table line.message.sqs_message_id,time_diff_in_seconds

id_cse_time= 2023-01-27T09:55:45.970831Z
scim timestamp = 2023-01-27T08:24:28.601+0000

The events are getting matched, but i don't see any table with messageid and timediff.
Can anyone help?

Re: Splunk Query

ITWhisperer — Fri, 27 Jan 2023 10:06:24 GMT

Rather than using map, try gathering the events with stats

sourcetype=id-cse-events OR sourcetype=scim | eval sqsmsgid=coalesce(sqsMessageId,line.message.sqs_message_id) | stats values(timeStamp) as id_cse_time values(line.timestamp) as line_timestamp by sqsmsgid | eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S") | table sqsmsgid,time_diff_in_seconds

Re: Splunk Query

amitrinx — Fri, 27 Jan 2023 10:41:39 GMT

With this query i can only see the timestamps of id_cse_events not for the scim

Re: Splunk Query

ITWhisperer — Fri, 27 Jan 2023 10:44:50 GMT

Please can you share some events from both sourcetypes (anonymised of course), preferably in code blocks </> to prevent information being removes by the formatting process.