Splunk Search

How do we fetch events after getting stats on the events , and we have no more of the events in the results?

rohanmiskin
Explorer

Hi,

I'm trying to filter on the logs of spring boot application.
I want to calculate the time that a POST request takes.
The search query im trying is

index="xyz" correlationid="1234"| stats values(correlationid) min(_time) AS start max(_time) AS end | eval duration=end-start

Here, I manually search for the events which are POST requests, then I get the correlation ID of that request, and use it in the query.

The reason why im directly not using the string "POST" is that there are other logs too that get generated after a POST request is made till the POST returns status as successful. SO I have to consider all those events. Is there a way to search the correlation ID from all the events and then use the obtained correlation ID to fetch all the events with that correlation ID?

Example of logs
10.30 2019 | 1234 | POST /data
10.31 2019 | 1234 | data verified
10.32 2019 | 1234 | successfully posted data

I need the duration 10.32-10.30=0.02

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Hi @rohanmiskin

You are on the right track but I think this is what you need to do:

index="xyz" correlationid="1234"| stats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start

If that doesn't work for you, you can look into using the transaction command but that has some performance implications. https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction

All the best, Chris.

View solution in original post

woodcock
Esteemed Legend

The answer to your question as you have literally asked it, just change stats into eventstats.

rohanmiskin
Explorer

Is there a way where i can fetch the correlation ids first and store them in a variable and use the variable in the query.
for example a variable 'a' contains the index and correlationid details:
a=(index="xyz" "POST /data" | stats values(correlationid) by index)
Then use this in the actual query
index="xyz" correlationid=a.get_correlationid| stats values(correlationid) min(_time) AS start max(_time) AS end | eval duration=end-start

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Hi @rohanmiskin

You are on the right track but I think this is what you need to do:

index="xyz" correlationid="1234"| stats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start

If that doesn't work for you, you can look into using the transaction command but that has some performance implications. https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction

All the best, Chris.

rohanmiskin
Explorer

Is there a way where i can fetch the correlation ids first and store them in a variable and use the variable in the query.
for example a variable 'a' contains the index and correlationid details:
a=(index="xyz" "POST /data" | stats values(correlationid) by index)
Then use this in the actual query
index="xyz" correlationid=a.get_correlationid| stats values(correlationid) min(_time) AS start max(_time) AS end | eval duration=end-start

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

I am not sure what you mean but this may do it: index="xyz" | eventstats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start | search "POST /data"

or

index="xyz" | eventstats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start | search "POST /data" | table *

0 Karma

rohanmiskin
Explorer

@chrisyoungerjds . This was what i wanted. Thank you very much :).

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Great to hear.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...