Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search driven by KVStore parameters

stephendavisWK
Explorer
‎09-14-2017 07:15 AM

I have a set of events similar to below and a working search for a single ID value of 133. My next step is to make the ID dynamic from a KVStore. My attempts so far have been unsuccessful and I could use some help. I am not even positive this is the right approach.

This is for a custom app for internal use so options are wide open on how to best approach this.
Ideas?

Events:
date time : Process Start for core instance ID: 133
date time : random message 1
date time : random message 5
date time : Process Ending ID: 133
date time : Process Start for core instance ID: 145
date time : random message 2
date time : random message 4
date time : random message 7
date time : Process Ending ID: 145
etc...

Working search:
index=myindex source=mysource
[search index=myindex ("Process Start" AND "ID: 133") | head 1 | eval earliest=_time | table earliest]
[search index=myindex ("Process Ending" AND "ID: 133") | head 1 | eval latest=_time+1 | table latest]
| eval StatusCode=
if((like(_raw, "%Process Start%") AND like(_raw, "%ID: 133%")), 1,
if(like(_raw, "%Process Ending%"), 2, 0))
| stats sum(StatusCode) as StatusCode, min(_time) as StartTime
| eval Started=if((StatusCode /1)>=1,"Success","Fail")
| eval Finished=if((StatusCode /2)>=1,"Success","Fail")
| eval Time=strftime(StartTime,"%c")
| table StartTime, evalVal1, evalVal2

Desired Results:
ID StartTime Started Finished
133 datetime Success Success
145 datetime Success Fail

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephendavisWK
Explorer
‎11-17-2017 11:47 AM

The final solution involved writing a python script which pulled data from a kvstore. Then using these parameters performing additional searches to gather events. The events were then accumulated in a json result set and returned to the client.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

stephendavisWK
Explorer
‎11-17-2017 11:47 AM

The final solution involved writing a python script which pulled data from a kvstore. Then using these parameters performing additional searches to gather events. The events were then accumulated in a json result set and returned to the client.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2017 01:59 PM

@stephendavisWK, if your problem is resolved, please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

stephendavisWK
Explorer
‎09-15-2017 07:05 AM

Correction: "| table StartTime, evalVal1, evalVal2" in working search should be "| table StartTime, Started, Finished"

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...