Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Group events based on order of occurance of the events

Souradip11
Explorer
yesterday

Hello Splunkers,

Is it possible to group events based on a sequence. 

Event 1 - request , request_id 123

Event 2 - response , 200

Event 3 - request , request_id 456

Event 4 - response , 400

 

For each request I want first occured response to be group together 

Group 1-

(Event 1 - request , request_id 123

Event 2 - response , 200)

Group 2- 

( Event 3 - request , request_id 456

Event 4 - response , 400)

 

Note:- request_id is not logged in response. 

My actual expectation here is to get the response for each request id . 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
10 hours ago

The answer to your question depends greatly on what you mean by "group". Do you just want to sort the events in the even list? Or do you want to do some summarization and gather all fields from both request and response into a single result? Is there any field by which you can correlate a request with a response?

0 Karma
Reply

Souradip11
Explorer
8 hours ago

Hi @PickleRick 

I want to get the response code for each request id . 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
5 hours ago

Then all you can rely on is the event order. But this obviously raises questions about abnormal situations (like whether/how the source side handles error situations - does it just drop a request or does it reissue one?).

Generally, you can use filldown (or streamstats) to populate a field based on a previous event's value like it's been already shown in this thread. Just remember that Splunk by default returns events in reverse chronological order. So if you want to rely on a request being _before_ the response, you need to resort your results to have older ones first.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
11 hours ago

Assuming the event type has been extracted to a field called "type", and your events have been sorted into chronological order, you could do something along these lines

| streamstats count as event_number by type
| stats list(_raw) as raw_events by event_number

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
11 hours ago

Hi @Souradip11 ,

even if request_id  isn't available in events, is there something else to correlate events?

could you share a sample of your four types of logs?

Ciao.

Giuseppe

0 Karma
Reply

Souradip11
Explorer
9 hours ago

Hi @gcusello ,

There is no such information in the response that could corelate to respective request. Only thing mentioned is  that there can't be a parallel request. Request can be made only if the response of previous request is received. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
8 hours ago

Assuming you have fields event_type (all events), request_id (just request events) and response_code (just response events), and your events are in reverse chronological order, then you could do this

| filldown response_code
| where event_type="request"

To be honest, all this is theoretical - if you want more salient advice, I suggest you post some representative sanitised sample events so we can see what you are dealing with.

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...