Splunk Search

Grouping event by correlation id with the closest time

lucavi
New Member

Hi All,

We have a number of micro services with correlation id flowing across the request and responses. What i'm trying to do is to create a flow of request and response for 1 correlation id.

Example log

correlation idtimesourcemessage
12312:00:00Service AEnter service A
12312:00:01Service ACalling Service B
12312:00:02Service BRouting to Service C
12312:00:03Service CResult Found. Response User 1
12312:00:04Service BUsing User 1 to find resource
12312:00:05Service BResource Found. Calling Service D
12312:00:06Service DSub-resource not found. Response: null
12312:00:07Service BReturn result. Response User1, resource1
12312:00:08Service AReturn User1, resource1

 

From the example log, i would like to be able to group

Service A (12:00:00 -12:00:01)

Service B (12:00:02)

Service C (12:00:03)

Service B (12:00:04 -12:00:05)

Service D (12:00:06)

Service B (12:00:07)

Service A (12:00:08)

What i'm trying to do right now is a simple event results first before going to any further fancy visualization.

I tried using Transaction but i can't separate the source when there's a different call in between.

Here's the query that i've tried

 

123 
| eval _time=strptime(timegenerated,"%Y-%m-%dT%H:%M:%SZ")
| sort - _time
| transaction source

 

Any help is greatly appreciated.

Thanks,
Allen

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| streamstats window=1 current=f global=f values(source) as previous by correlation_id
| eval change=if(source==previous,0,1)
| streamstats sum(change) as group by correlation_id
| stats min(time) as start max(time) as end list(message) as messages by correlation_id group source
0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...