Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search driven by KVStore parameters

stephendavisWK
Explorer
‎09-14-2017 07:15 AM

I have a set of events similar to below and a working search for a single ID value of 133. My next step is to make the ID dynamic from a KVStore. My attempts so far have been unsuccessful and I could use some help. I am not even positive this is the right approach.

This is for a custom app for internal use so options are wide open on how to best approach this.
Ideas?

Events:
date time : Process Start for core instance ID: 133
date time : random message 1
date time : random message 5
date time : Process Ending ID: 133
date time : Process Start for core instance ID: 145
date time : random message 2
date time : random message 4
date time : random message 7
date time : Process Ending ID: 145
etc...

Working search:
index=myindex source=mysource
[search index=myindex ("Process Start" AND "ID: 133") | head 1 | eval earliest=_time | table earliest]
[search index=myindex ("Process Ending" AND "ID: 133") | head 1 | eval latest=_time+1 | table latest]
| eval StatusCode=
if((like(_raw, "%Process Start%") AND like(_raw, "%ID: 133%")), 1,
if(like(_raw, "%Process Ending%"), 2, 0))
| stats sum(StatusCode) as StatusCode, min(_time) as StartTime
| eval Started=if((StatusCode /1)>=1,"Success","Fail")
| eval Finished=if((StatusCode /2)>=1,"Success","Fail")
| eval Time=strftime(StartTime,"%c")
| table StartTime, evalVal1, evalVal2

Desired Results:
ID StartTime Started Finished
133 datetime Success Success
145 datetime Success Fail

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephendavisWK
Explorer
‎11-17-2017 11:47 AM

The final solution involved writing a python script which pulled data from a kvstore. Then using these parameters performing additional searches to gather events. The events were then accumulated in a json result set and returned to the client.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

stephendavisWK
Explorer
‎11-17-2017 11:47 AM

The final solution involved writing a python script which pulled data from a kvstore. Then using these parameters performing additional searches to gather events. The events were then accumulated in a json result set and returned to the client.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2017 01:59 PM

@stephendavisWK, if your problem is resolved, please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

stephendavisWK
Explorer
‎09-15-2017 07:05 AM

Correction: "| table StartTime, evalVal1, evalVal2" in working search should be "| table StartTime, Started, Finished"

0 Karma
Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...