Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I join a transaction search with a transaction subsearch?

dj_madeira_opow
New Member
‎02-16-2016 12:04 PM

I am attempting to find out the elapsed time between two log statements as a percentage of the duration of the full request in my service logs. Here's what I have which does not work:

index=service_public service=my-service | transaction correlation_id | join correlation_id [search index=service_public service=my-service | transaction correlation_id startsWith=eval(message="Sent request to other service") endsWith=eval(message="Response received from other service") | rename duration AS duration_other_service]

correlation_id is a UUID unique to a user request, but shared across services (passed via headers). I am trying to use a join to make duration_other_service a field on each transaction in the original query, so I can do something like eval other_service_dur_perc = duration_other_service / duration.

For some reason, this join returns no results. Do joins not work on transactions? I know the join works, because this returns results:

index=service_public | join correlation_id [search index=service_public message="Response received from other service"]

I have also tried using append and stats func by correlation_id, but I can't figure out what func should be.

0 Karma
Reply

somesoni2
Revered Legend
‎02-16-2016 01:05 PM

Try something like this

 index=service_public service=my-service | transaction correlation_id | table correlation_id duration|append [search index=service_public service=my-service | transaction correlation_id startsWith=eval(message="Sent request to other service") endsWith=eval(message="Response received from other service") | table correlation_id duration| rename duration AS duration_other_service] | stats values(*) as * by correlation_id eval other_service_dur_perc = round(duration_other_service*100/duration,2)
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...