Splunk Search

How can I combine the events to bring it back as 1 event or even for it to show just a list of fields?

Sfry1981
Communicator

I have a search like this where it brings back a history of an event based on the guid. The last event has the information about the error but the first event has the information about the ID of the user under a_tid. I have mapped out the searches below for info:

index=nameofindex Microservice "Instance errored" 

This brings back the below event

a_time="2018-06-15 21:26:49,836", a_tid="(null)", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored"

Now if I search with the guid ID as per the below:

index=nameofindex a_rid="71111111-3be2-46ea-a91e-f635b785a750"

I get the below events:

a_time="2018-06-15 21:26:49,836", a_tid="(null)", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored"

a_time="2018-06-15 21:26:49,671", a_tid="10132", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_tid="00001" a_msg="Registering instance"

What I want to do is perform the first search but I want to pull through a list of the a_tid that has an ID like the above which shows 'a_tid="00001" '

Ideally I would like the event to show as the below:

a_time="2018-06-15 21:26:49,836", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored", a_tid="00001"

So the link is there on the event history but how can I combine the events to bring it back as 1 event or even for it to show just a list of a_tid?

Tags (2)
0 Karma
1 Solution

Ayn
Legend

I would write a subsearch for retrieving all a_rid values for events with the "Instance errored" message, then either run transaction or stats for getting the desired results. I noticed you say you're searching for "Microservice" but the example event you show doesn't actually have that string in it - maybe you meant sourcetype=Microservice or something? I'm assuming this in my query below.

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | transaction a_rid | search a_tid=00001

...or similarly using stats, which is cheaper from a performance perspective:

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | stats values(a_tid) as a_tid by a_rid | search a_tid=00001

View solution in original post

Ayn
Legend

I would write a subsearch for retrieving all a_rid values for events with the "Instance errored" message, then either run transaction or stats for getting the desired results. I noticed you say you're searching for "Microservice" but the example event you show doesn't actually have that string in it - maybe you meant sourcetype=Microservice or something? I'm assuming this in my query below.

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | transaction a_rid | search a_tid=00001

...or similarly using stats, which is cheaper from a performance perspective:

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | stats values(a_tid) as a_tid by a_rid | search a_tid=00001

Sfry1981
Communicator

Thanks Ayn, Thats done the trick. This now gives me the next step to connect more dots as it was bugging me 🙂

Also like you say the transaction was too costly so went with the stats which was alot better

0 Karma

Ayn
Legend

Cool, there's also eventstats that does the same as stats but keeps all data from the original events, if that helps.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...