Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Merging Associated Events

paddy3883
Path Finder
‎10-24-2012 02:21 AM

I have a script which sends individual events into Splunk, each event is essentially a report on a HTTP Request, either GET or POST. The event contains a number of fields but two key ones are StepName and Timing:

  1. StepName will be a title for the HTTPRequest etc. PostLogin
  2. Timing will be a int value of the milliseconds taken by HttpRequest

I'm writing a report which shows the average time taken for each step over last 15 minutes. However, from an end users point of view, some steps are part of one process e.g.

  1. Step1 - GetLoginPage
  2. Step2 - PostLoginPage
  3. Step3 - ProcessUserDetails
  4. Step4 - GetHomePage

In this case Step2 and Step3 would be one process for an end user, therefore I'd like to be able to report on these as if they were one step so the following:

GetLoginPage 50

PostLoginPage 100

ProcessUserDetails 250

GetHomePage 80

would become

GetLoginPage 50

PostLoginPage 350

GetHomePage 80

I can use a replace on the StepName so I have

GetLoginPage 50

PostLoginPage 100

PostLoginPage 250

GetHomePage 80

How can I then merge these results so it summates the two PostLoginPage steps and then gives me an average over the time period for the three individual steps?

Note each step has a field called TransactionGUID which associates a group of steps for the same execution.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-24-2012 04:59 AM

Hello,

your_search | replace "ProcessUserDetails" with "PostLoginPage" in StepName | chart sum(exec_time) over TransactionGUID by StepName | stats avg(GetLoginPage) avg(PostLoginPage) avg(GetHomePage)

is one way to do it. exec_time would be the field where the execution time is stored.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-24-2012 04:59 AM

Hello,

your_search | replace "ProcessUserDetails" with "PostLoginPage" in StepName | chart sum(exec_time) over TransactionGUID by StepName | stats avg(GetLoginPage) avg(PostLoginPage) avg(GetHomePage)

is one way to do it. exec_time would be the field where the execution time is stored.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

paddy3883
Path Finder
‎10-24-2012 05:13 AM

Thanks, I have found a way to do it not too disimilar to this so thanks for feedback.

0 Karma
Reply
Solved! Jump to solution

watsm10
Communicator
‎10-24-2012 03:32 AM

I would suggest searching the documentation for eval(case). I had a similar issue and this was a suitable workaround. If you need any more help, let me know 🙂

Reply
Solved! Jump to solution

paddy3883
Path Finder
‎10-24-2012 05:13 AM

Thanks, I was able to use the eval for this purpose and work into a solution

0 Karma
Reply
Solved! Jump to solution

watsm10
Communicator
‎10-24-2012 03:38 AM

so.. eval StepName = case(HTTPRequest="GetLoginPage","GetLoginPage",(HTTPRequest="PostLoginPage" and HTTPRequest="ProcessUserDetails"),"PostLoginPage",HTTPRequest="GetHomePage","GetHomePage")

so it's case(name of fields you wish to rename/combine,"new name",name of fields you wish to rename/combine,"new name".......)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...