Splunk Search

How can I combine the events to bring it back as 1 event or even for it to show just a list of fields?

Sfry1981
Communicator

I have a search like this where it brings back a history of an event based on the guid. The last event has the information about the error but the first event has the information about the ID of the user under a_tid. I have mapped out the searches below for info:

index=nameofindex Microservice "Instance errored" 

This brings back the below event

a_time="2018-06-15 21:26:49,836", a_tid="(null)", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored"

Now if I search with the guid ID as per the below:

index=nameofindex a_rid="71111111-3be2-46ea-a91e-f635b785a750"

I get the below events:

a_time="2018-06-15 21:26:49,836", a_tid="(null)", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored"

a_time="2018-06-15 21:26:49,671", a_tid="10132", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_tid="00001" a_msg="Registering instance"

What I want to do is perform the first search but I want to pull through a list of the a_tid that has an ID like the above which shows 'a_tid="00001" '

Ideally I would like the event to show as the below:

a_time="2018-06-15 21:26:49,836", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored", a_tid="00001"

So the link is there on the event history but how can I combine the events to bring it back as 1 event or even for it to show just a list of a_tid?

Tags (2)
0 Karma
1 Solution

Ayn
Legend

I would write a subsearch for retrieving all a_rid values for events with the "Instance errored" message, then either run transaction or stats for getting the desired results. I noticed you say you're searching for "Microservice" but the example event you show doesn't actually have that string in it - maybe you meant sourcetype=Microservice or something? I'm assuming this in my query below.

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | transaction a_rid | search a_tid=00001

...or similarly using stats, which is cheaper from a performance perspective:

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | stats values(a_tid) as a_tid by a_rid | search a_tid=00001

View solution in original post

Ayn
Legend

I would write a subsearch for retrieving all a_rid values for events with the "Instance errored" message, then either run transaction or stats for getting the desired results. I noticed you say you're searching for "Microservice" but the example event you show doesn't actually have that string in it - maybe you meant sourcetype=Microservice or something? I'm assuming this in my query below.

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | transaction a_rid | search a_tid=00001

...or similarly using stats, which is cheaper from a performance perspective:

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | stats values(a_tid) as a_tid by a_rid | search a_tid=00001

Sfry1981
Communicator

Thanks Ayn, Thats done the trick. This now gives me the next step to connect more dots as it was bugging me 🙂

Also like you say the transaction was too costly so went with the stats which was alot better

0 Karma

Ayn
Legend

Cool, there's also eventstats that does the same as stats but keeps all data from the original events, if that helps.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...