Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlating fields from two separate message types

tslnmx
Explorer
‎06-19-2012 08:14 AM

There are two types of messages I'd like to correlate in my logs:

  • An occasional message reporting an integer for the load my server is under
  • Common messages saying how long it took to execute certain operations in my app

I need a scatter chart showing the server load on one axis, and operation time in seconds on the other, with the points in the chart showing the load vs execution time of the operations.

The problem I'm having is, the field that announces the server load is not included in the same messages that announce the elapsed time for that particular operation. So when I'm searching for operations, I need a way to assign the last server load value that was logged before each operation message, to each individual operation message.

Let me know if this doesn't make sense :). I've been having a rough time working it out.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-20-2012 06:34 AM

the time is probably your best join.

example :
source=logA format : load=12 (happening every 5 min)
source=logB format : duration=19 (happening any time)

a basic search may be like :



source=logA OR source=logB load OR duration | timechart span=5min max(load) AS load avg(duration) AS duration | table load duration

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-20-2012 06:34 AM

the time is probably your best join.

example :
source=logA format : load=12 (happening every 5 min)
source=logB format : duration=19 (happening any time)

a basic search may be like :



source=logA OR source=logB load OR duration | timechart span=5min max(load) AS load avg(duration) AS duration | table load duration

Reply
Solved! Jump to solution

tslnmx
Explorer
‎06-20-2012 06:41 AM

Novel solution, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...