Knowledge Management
Highlighted

Search driven by KVStore parameters

Explorer

I have a set of events similar to below and a working search for a single ID value of 133. My next step is to make the ID dynamic from a KVStore. My attempts so far have been unsuccessful and I could use some help. I am not even positive this is the right approach.

This is for a custom app for internal use so options are wide open on how to best approach this.
Ideas?

Events:
date time : Process Start for core instance ID: 133
date time : random message 1
date time : random message 5
date time : Process Ending ID: 133
date time : Process Start for core instance ID: 145
date time : random message 2
date time : random message 4
date time : random message 7
date time : Process Ending ID: 145
etc...

Working search:
index=myindex source=mysource
[search index=myindex ("Process Start" AND "ID: 133") | head 1 | eval earliest=time | table earliest]
[search index=myindex ("Process Ending" AND "ID: 133") | head 1 | eval latest=
time+1 | table latest]
| eval StatusCode=
if((like(raw, "%Process Start%") AND like(raw, "%ID: 133%")), 1,
if(like(raw, "%Process Ending%"), 2, 0))
| stats sum(StatusCode) as StatusCode, min(
time) as StartTime
| eval Started=if((StatusCode /1)>=1,"Success","Fail")
| eval Finished=if((StatusCode /2)>=1,"Success","Fail")
| eval Time=strftime(StartTime,"%c")
| table StartTime, evalVal1, evalVal2

Desired Results:
ID StartTime Started Finished
133 datetime Success Success
145 datetime Success Fail

0 Karma
Highlighted

Re: Search driven by KVStore parameters

Explorer

Correction: "| table StartTime, evalVal1, evalVal2" in working search should be "| table StartTime, Started, Finished"

0 Karma
Highlighted

Re: Search driven by KVStore parameters

Explorer

The final solution involved writing a python script which pulled data from a kvstore. Then using these parameters performing additional searches to gather events. The events were then accumulated in a json result set and returned to the client.

View solution in original post

0 Karma
Highlighted

Re: Search driven by KVStore parameters

SplunkTrust
SplunkTrust

@stephendavisWK, if your problem is resolved, please accept the answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma