topic Re: Anybody knows about {@fieldname} in a join in Splunk Search

Anybody knows about {@fieldname} in a join

las — Wed, 18 Oct 2023 06:11:18 GMT

Hi.

I have been given a search, that I need some help decifering.

index=atp-aes-prod sourcetype=atp_aes_json SourceContext=RevisionLogger Properties.Url="/api/Document/get-merged-pdf" Properties.IsImpersonated=false | join type=inner CorrelationId [search index=atp-aes-prod SourceContext=ANS.Platform.Application.Commands.Queries.Selfservice.GenerateMergedPdf.GenerateMergedPdfHandler MessageTemplate="User tries to merge*"] | join type=inner CorrelationId [search index=atp-aes-prod SourceContext=ANS.Platform.Integrations.GetOrganized.GoDocumentsService MessageTemplate="Start CombineToPdf method*"] | join type=inner CorrelationId [search index=atp-aes-prod SourceContext=ANS.Platform.Domain.Services.Selfservice.Authorization.SelfServiceAuthorizationService MessageTemplate="SelfServiceAuthorizationService took {@elapsedMilliseconds} ms to be constructed for part {@partId}."] | table Properties.Url, Timestamp, Properties.CompanyName, Properties.partId, Properties.documents

It does not run on our system and never will, I think it was developed by somebody versed in relational databases. I'm trying to rewrite this search, but I'm slightly baffled by the {@elapsedMilliseconds} and {@partId}.

Does anybody know what they are doing?

Kind regards

las

Re: Anybody knows about {@fieldname} in a join

gcusello — Wed, 18 Oct 2023 06:28:52 GMT

Hi @las,

I don't know why your search doesn't run, but surely it's a very slow search, having many join command inside it (Splunk isn't a DB and join command can be used only when there isn't any other solution and with few events!).

Try to use a different approach using stats:

index=atp-aes-prod (sourcetype=atp_aes_json SourceContext=RevisionLogger Properties.Url="/api/Document/get-merged-pdf" Properties.IsImpersonated=false) OR (SourceContext=ANS.Platform.Application.Commands.Queries.Selfservice.GenerateMergedPdf.GenerateMergedPdfHandler MessageTemplate="User tries to merge*") OR (SourceContext=ANS.Platform.Integrations.GetOrganized.GoDocumentsService MessageTemplate="Start CombineToPdf method*") OR (SourceContext=ANS.Platform.Domain.Services.Selfservice.Authorization.SelfServiceAuthorizationService MessageTemplate="SelfServiceAuthorizationService took {@elapsedMilliseconds} ms to be constructed for part {@partId}.") | stats values(Properties.Url) AS Url values(Timestamp) AS Timestamp values(Properties.CompanyName) AS CompanyName values(Properties.partId) AS partId values(Properties.documents) AS documents BY CorrelationId

Sometimes there also an issue (and probably this is the problem of your original search, using fields with the dot inside, in this case use rename or quotes:

index=atp-aes-prod (sourcetype=atp_aes_json SourceContext=RevisionLogger Properties.Url="/api/Document/get-merged-pdf" Properties.IsImpersonated=false) OR (SourceContext=ANS.Platform.Application.Commands.Queries.Selfservice.GenerateMergedPdf.GenerateMergedPdfHandler MessageTemplate="User tries to merge*") OR (SourceContext=ANS.Platform.Integrations.GetOrganized.GoDocumentsService MessageTemplate="Start CombineToPdf method*") OR (SourceContext=ANS.Platform.Domain.Services.Selfservice.Authorization.SelfServiceAuthorizationService MessageTemplate="SelfServiceAuthorizationService took {@elapsedMilliseconds} ms to be constructed for part {@partId}.") | rename Properties.Url AS Url Properties.CompanyName AS CompanyName Properties.partId AS partId Properties.documents AS documents | stats values(Url) AS Url values(Timestamp) AS Timestamp values(CompanyName) AS CompanyName values(partId) AS partId values(documents) AS documents BY CorrelationId

Ciao.

Giuseppe

Re: Anybody knows about {@fieldname} in a join

las — Wed, 18 Oct 2023 06:37:42 GMT

Hi guiseppe.

I should have been clearer, yes it is a perfectly valid search - except for the many joins, that I also will rewrite with stats.

Yes - now I see it, it is a message template thatis part of the logging, so the {@fieldname} is just part of the normal search.

Thank you