Splunk Search

How can I join results from one search to another based on time durations?

Traer001
Path Finder

Hello all,

I have two searches. One is for finding session info/durations and the other is for finding error info/durations. I want to combine the session IDs to my error info table based on whether the error occurred during that session.

So for instance, if I have something like this for my session data:

2021-06-14 14:45:12 UserId:123 Session 3 begin
2021-06-14 14:43:43 UserId:123 Session 2 end
2021-06-14 14:40:01 UserId:123 Session 2 begin
2021-06-14 14:33:10 UserId:123 Session 1 end
2021-06-14 14:25:44 UserId:123 Session 1 begin

 

And I have something like this for my error data:

2021-06-14 14:30:12 UserId:123 Error finish
2021-06-14 14:28:43 UserId:123 Error start

 

I would want to include session ID 1 to my error info table because an error happened during that session. I currently have a search like this, but it is not working how I want it to. How might I be able to rewrite this to show what I want? Also, if I wanted to just find the next session transaction after the end of an error, how can I do that?

 

index=INDEX host=HOSTNAME sourcetype=SOURCETYPE
| rex field=_raw "UserId:(?<user_id>\d+)"
| transaction user_id startswith="start" endswith="finish"
| where user_id<2000
| eval start=_time
| eval finish=_time+duration
| eval error_duration=tostring(duration, "duration")
| eval error_start=strftime(start, "%Y-%m-%d %H:%M:%S")
| eval error_end=strftime(finish, "%Y-%m-%d %H:%M:%S")
| join user_id [search index=INDEX host=HOSTNAME sourcetype=SOURCETYPE_TWO
| rex field=_raw "UserId:(?<user_id>\d+)\sSession\s(?<session_id>\d+)"
| sort 0 user_id session_id -_time
| transaction user_id session_id maxpause=5m endswith="end"
| eval begin=_time
| eval end=_time+duration
| where user_id<2000
| eval duration=tostring(duration, "duration")
| table user_id, begin, end, duration, session_id]
| where start>=begin and finish<=end
| table user_id, session_id, error_start, error_end, error_duration

 

Labels (4)
0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...