Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to do a Splunk query that can give me difference in values?

AruBhende
Explorer
‎01-20-2023 05:33 PM

We have ingested into Splunk logs from our application - these logs include two keys - stageType  and correlation id, along with other keys.    I have to find a list of correlation ids that are returned for one stageType and not for other stageType.   I realise Splunk queries cannot be written similar to SQL I am not very conversant with Splunk -  I just normally get by - using simpler queries.  

Hence hoping, someone can help me with a query that gives me the list - so I can do further analysis to find out the reason for differences, which should not normally exist.

Is it possible to do it in Splunk? Can someone help me with the query?

index=grp-applications sourcetype="kafka:status" stageType IN ("STAGEA", "STAGEB" )  env=qa | dedup env, correlationId, stageType | stats count by env, correlationId, stageType

Thank you

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-20-2023 06:08 PM

Hi @AruBhende,

Please try below;

index=grp-applications sourcetype="kafka:status" stageType IN ("STAGEA", "STAGEB" ) env=qa 
| stats values(stageType) as stageType by env correlationId 
| where mvcount(stageType) = 1

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-20-2023 06:36 PM

Hi @AruBhende,

If you see all correlation ids, they should be different between stages. Can you paste a sample log containing both stages?

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

AruBhende
Explorer
‎01-20-2023 07:05 PM

Sorry, it was a mistake on my part.  It should have been sourceCorrelationId instead of correlationId.  Both are valid keys in the log. When I used sourceCorrs a am accepting that elationId in the example you provided, it worked.

I am accepting that as solution.

Thanks for your help.

 

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-20-2023 06:08 PM

Hi @AruBhende,

Please try below;

index=grp-applications sourcetype="kafka:status" stageType IN ("STAGEA", "STAGEB" ) env=qa 
| stats values(stageType) as stageType by env correlationId 
| where mvcount(stageType) = 1

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

AruBhende
Explorer
‎01-20-2023 06:21 PM

Hi,

I tried it but it is not giving the difference, it is giving all the correlation ids.  For STAGEA, there are about 55000 events returned and for STAGEB, about 50000.  The above query is returning 105,000 events, whereas I want to get only the 5000 - which is the difference.  Is it possible ?

Thanks

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...