topic Re: MAP command query in Splunk Search

MAP command query

mprreddy51 — Thu, 14 Jul 2016 06:35:45 GMT

Hi,

why I am not able to extract date from _raw in MAP command(second part of query)

Below is my query:

index=abc sourcetype=pqr SERVICE_NAME=def |  rex "(?<precise_time>\d{8}T\d{6}\.\d{3})" | eval precise_epoch=strptime(precise_time, "%Y%m%dT%H%M%S.%f") |  transaction SERVICE_NAME startswith="WWW_REQ" endswith="WWW_RES" | sort _time |  eval duration = tonumber(mvindex(precise_epoch, -1)) - tonumber(mvindex(precise_epoch, 0)) |table ACCNO|map search="search index=abc sourcetype=pqr ACCNO=$ACCNO$ | rex "(?<precise_time>\d{8}T\d{6}\.\d{3})" | eval precise_epoch=strptime(precise_time, "%Y%m%dT%H%M%S.%f") |  transaction SERVICE_NAME startswith="AAA_REQ" endswith="AAA_RES" | sort _time |  eval duration = tonumber(mvindex(precise_epoch, -1)) - tonumber(mvindex(precise_epoch, 0)) |table ACCNO,SERVICE_NAME,duration"

If i remove rex part and duration in second query I am getting some results.But ultimately I need duration in my requirement. How to achieve this.

Thanks in advance.

-PR

Re: MAP command query

somesoni2 — Thu, 14 Jul 2016 15:50:55 GMT

Give this a try.

index=abc sourcetype=pqr SERVICE_NAME=def |  transaction SERVICE_NAME startswith="WWW_REQ" endswith="WWW_RES" | sort _time |table ACCNO|map search="search index=abc sourcetype=pqr ACCNO=$ACCNO$ | rex "(?<precise_time>\d{8}T\d{6}\.\d{3})\" | eval precise_epoch=strptime(precise_time, "%Y%m%dT%H%M%S.%N") |  transaction SERVICE_NAME startswith="AAA_REQ" endswith="AAA_RES" | sort _time |  eval duration = tonumber(mvindex(precise_epoch, -1)) - tonumber(mvindex(precise_epoch, 0)) |table ACCNO,SERVICE_NAME,duration"

Updated Answer
Map is expensive and has limitation. Give this one a try. Also adding the >30 sec constraints that you mentioned (missing in question)

index=abc sourcetype=pqr [search index=abc sourcetype=pqr SERVICE_NAME=def |  rex "(?<precise_time>\d{8}T\d{6}\.\d{3})" | eval precise_epoch=strptime(precise_time, "%Y%m%dT%H%M%S.%f") |  transaction SERVICE_NAME startswith="WWW_REQ" endswith="WWW_RES"  |  eval duration = tonumber(mvindex(precise_epoch, -1)) - tonumber(mvindex(precise_epoch, 0)) |search duration>30|table ACCNO] |  rex "(?<precise_time>\d{8}T\d{6}\.\d{3})" | eval precise_epoch=strptime(precise_time, "%Y%m%dT%H%M%S.%f") |  transaction SERVICE_NAME startswith="AAA_REQ" endswith="AAA_RES" | sort _time |  eval duration = tonumber(mvindex(precise_epoch, -1)) - tonumber(mvindex(precise_epoch, 0)) |table ACCNO,SERVICE_NAME,duration"

Re: MAP command query

mprreddy51 — Tue, 29 Sep 2020 10:14:20 GMT

@Somesh,

In the first part of the search, we are taking "duration">30sec

index=abc sourcetype=pqr SERVICE_NAME=def |  rex "(?\d{8}T\d{6}\.\d{3})" | eval precise_epoch=strptime(precise_time, "%Y%m%dT%H%M%S.%f") |  transaction SERVICE_NAME startswith="WWW_REQ" endswith="WWW_RES" | sort _time |  eval duration = tonumber(mvindex(precise_epoch, -1)) - tonumber(mvindex(precise_epoch, 0)) |table ACCNO,duration|search duration>30|table ACCNO

ACCNO     DURATION
1         31.22
2         34.89          (I am passing only ACCNO)
3         78.98

This part of the search states that:

index=abc sourcetype=pqr ACCNO=$ACCNO$ | rex "(?\d{8}T\d{6}\.\d{3})" | eval precise_epoch=strptime(precise_time, "%Y%m%dT%H%M%S.%f") |  transaction SERVICE_NAME startswith="AAA_REQ" endswith="AAA_RES" | sort _time |  eval duration = tonumber(mvindex(precise_epoch, -1)) - tonumber(mvindex(precise_epoch, 0)) |table ACCNO,SERVICE_NAME,duration"

ACCNO   SERVICE_NAME     duration
1       a                0.89
        b                1.09
        c                2.45

2       e                4.67
        f                0.11

This the output I am expecting.

First I need to check in SERVICE_NAME=def with WWW_req and WWW_res Account nos >30 sec
second if any account number is greater than 30 then I need to find for each accountnumber what are the services and time duration. I did it manually by copying one accno at a time,But there are 100's of accnos .By using MAP i am trying.
Thanks

Re: MAP command query

somesoni2 — Thu, 14 Jul 2016 19:23:13 GMT

Try the updated answer.