topic Re: Retrieve service depandancy with splunk entreprise in Splunk Search

Retrieve service depandancy with splunk entreprise

Oum — Wed, 26 Jun 2024 14:57:53 GMT

hello i'm beginner in splunk. Currently, i'm working with splunk entreprise i want to retrieve microservices depandancy and export this informations How can i do that?

Re: Retrieve service depandancy with splunk entreprise

ITWhisperer — Wed, 26 Jun 2024 15:05:31 GMT

Start by creating a search which retrieves the information you are trying to find. How far have you got with that?

Re: Retrieve service depandancy with splunk entreprise

Oum — Fri, 28 Jun 2024 13:05:28 GMT

yes i'm started doing a search based on the traceId and spanId

index=your_index sourcetype=your_sourcetype

| fields trace_id, span_id, parent_span_id,app.name

| rename app.name as current_service

| join type=inner trace_id [search index=your_index sourcetype=your_sourcetype | fields trace_id, span_id, parent_span_id,app.name | rename app.name as parent_service, span_id as parent_span_id]

| where parent_span_id = span_id

| table trace_id, parent_service, current_service

but i'm asking if there is a default fields related to microservices in Splunk

Re: Retrieve service depandancy with splunk entreprise

PickleRick — Fri, 28 Jun 2024 22:11:13 GMT

1. Post your searches in code block or preformatted paragraph - it helps readability.

2. Don't use the join command if you can avoid it (in this case you can probably go with stats instead)

3. Fields depend on the data you onboard. The only "default" thing about them is when you have them normalized to be CIM-compliant. But I don't see any datamodel applicable here.

Re: Retrieve service depandancy with splunk entreprise

yuanliu — Fri, 28 Jun 2024 22:30:49 GMT

but i'm asking if there is a default fields related to microservices in Splunk

I understand that it is tempting to view Splunk as a unique data source. But in reality, Splunk data is what you collect in your business. Volunteers here has zero visibility of what fields are available in your_sourcetype that may or may not be related to microservices.

In simple terms, no. There is no such a thing as default fields related to anything other than time. host, source, and sourcetype are usually mandatory in most deployments. You need to ask whoever is writing logs in your_sourcetype how to identify a microservice. They may have already put such in a key-value pair using either a delimiter or using a structured format such as JSON. Even if they haven't, Splunk can easily extract it as long as it is present in the data. However, Splunk itself cannot tell you where your developers placed such information.

As @PickleRick suggested, you can also show some raw events (anonymize as needed) for volunteers to inspect and speculate. Still, the best is if you can also ask your developers to identify information themselves.

Re: Retrieve service depandancy with splunk entreprise

ITWhisperer — Sun, 30 Jun 2024 09:20:00 GMT

It looks like you are trying to find the app.name for the parent_span_id? To avoid using joins, try something like this:

If this isn't correct, please share some anonymised, but representative raw events and a description of what it is you are trying to do