Splunk Search

Events are getting matched, but why don't I see any table with messageid and timediff?

amitrinx
Explorer

I have 2 events having fields
1. id_cse_event: sqsmessageid,timestamp
2. Scim: sqs_message_id, timestamp.

I want to search all the messages published by id_cse_events in scim using messageid, then find the difference between the time stamps

This is the query i have wrote:
sourcetype=id-cse-events
| where isnotnull(sqsMessageId)
| eval sqsmsgid=sqsMessageId
| eval id_cse_time=timeStamp
| table sqsmsgid, id_cse_time
| map
[search sourcetype=scim |fields line.message.sqs_message_id, line.timestamp|search line.message.sqs_message_id="$sqsmsgid$"
| eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S") ]maxsearches=9999
| table line.message.sqs_message_id,time_diff_in_seconds

id_cse_time= 2023-01-27T09:55:45.970831Z
scim timestamp = 2023-01-27T08:24:28.601+0000



The events are getting matched, but i don't see any table with messageid and timediff.
Can anyone help?

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Rather than using map, try gathering the events with stats

sourcetype=id-cse-events OR sourcetype=scim
| eval sqsmsgid=coalesce(sqsMessageId,line.message.sqs_message_id)
| stats values(timeStamp) as id_cse_time values(line.timestamp) as line_timestamp by sqsmsgid
| eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S")
| table sqsmsgid,time_diff_in_seconds

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Rather than using map, try gathering the events with stats

sourcetype=id-cse-events OR sourcetype=scim
| eval sqsmsgid=coalesce(sqsMessageId,line.message.sqs_message_id)
| stats values(timeStamp) as id_cse_time values(line.timestamp) as line_timestamp by sqsmsgid
| eval time_diff_in_seconds=strptime(id_cse_time,"%Y-%m-%dT%H:%M:%S")-strptime(line.timestamp,"%Y-%m-%dT%H:%M:%S")
| table sqsmsgid,time_diff_in_seconds

amitrinx
Explorer

With this query i can only see the timestamps of id_cse_events not for the scim

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please can you share some events from both sourcetypes (anonymised of course), preferably in code blocks </> to prevent information being removes by the formatting process.

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...