Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is it possible to do a Splunk query that can give me difference in values?

AruBhende
Explorer
‎01-20-2023 05:33 PM

We have ingested into Splunk logs from our application - these logs include two keys - stageType  and correlation id, along with other keys.    I have to find a list of correlation ids that are returned for one stageType and not for other stageType.   I realise Splunk queries cannot be written similar to SQL I am not very conversant with Splunk -  I just normally get by - using simpler queries.  

Hence hoping, someone can help me with a query that gives me the list - so I can do further analysis to find out the reason for differences, which should not normally exist.

Is it possible to do it in Splunk? Can someone help me with the query?

index=grp-applications sourcetype="kafka:status" stageType IN ("STAGEA", "STAGEB" )  env=qa | dedup env, correlationId, stageType | stats count by env, correlationId, stageType

Thank you

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-20-2023 06:08 PM

Hi @AruBhende,

Please try below;

index=grp-applications sourcetype="kafka:status" stageType IN ("STAGEA", "STAGEB" ) env=qa 
| stats values(stageType) as stageType by env correlationId 
| where mvcount(stageType) = 1

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-20-2023 06:36 PM

Hi @AruBhende,

If you see all correlation ids, they should be different between stages. Can you paste a sample log containing both stages?

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

AruBhende
Explorer
‎01-20-2023 07:05 PM

Sorry, it was a mistake on my part.  It should have been sourceCorrelationId instead of correlationId.  Both are valid keys in the log. When I used sourceCorrs a am accepting that elationId in the example you provided, it worked.

I am accepting that as solution.

Thanks for your help.

 

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-20-2023 06:08 PM

Hi @AruBhende,

Please try below;

index=grp-applications sourcetype="kafka:status" stageType IN ("STAGEA", "STAGEB" ) env=qa 
| stats values(stageType) as stageType by env correlationId 
| where mvcount(stageType) = 1

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

AruBhende
Explorer
‎01-20-2023 06:21 PM

Hi,

I tried it but it is not giving the difference, it is giving all the correlation ids.  For STAGEA, there are about 55000 events returned and for STAGEB, about 50000.  The above query is returning 105,000 events, whereas I want to get only the 5000 - which is the difference.  Is it possible ?

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...