Solved: How do we fetch events after getting stats on the ...

rohanmiskin · ‎01-30-2019

Hi,

I'm trying to filter on the logs of spring boot application.
I want to calculate the time that a POST request takes.
The search query im trying is

index="xyz" correlationid="1234"| stats values(correlationid) min(_time) AS start max(_time) AS end | eval duration=end-start

Here, I manually search for the events which are POST requests, then I get the correlation ID of that request, and use it in the query.

The reason why im directly not using the string "POST" is that there are other logs too that get generated after a POST request is made till the POST returns status as successful. SO I have to consider all those events. Is there a way to search the correlation ID from all the events and then use the obtained correlation ID to fetch all the events with that correlation ID?

Example of logs
10.30 2019 | 1234 | POST /data
10.31 2019 | 1234 | data verified
10.32 2019 | 1234 | successfully posted data

I need the duration 10.32-10.30=0.02

chrisyounger · ‎01-30-2019

Hi @rohanmiskin

You are on the right track but I think this is what you need to do:

index="xyz" correlationid="1234"| stats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start

If that doesn't work for you, you can look into using the transaction command but that has some performance implications. https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction

All the best, Chris.

View solution in original post

woodcock · ‎01-30-2019

The answer to your question as you have literally asked it, just change stats into eventstats.

rohanmiskin · ‎01-30-2019

Is there a way where i can fetch the correlation ids first and store them in a variable and use the variable in the query.
for example a variable 'a' contains the index and correlationid details:
a=(index="xyz" "POST /data" | stats values(correlationid) by index)
Then use this in the actual query
index="xyz" correlationid=a.get_correlationid| stats values(correlationid) min(_time) AS start max(_time) AS end | eval duration=end-start

chrisyounger · ‎01-30-2019

Hi @rohanmiskin

You are on the right track but I think this is what you need to do:

index="xyz" correlationid="1234"| stats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start

If that doesn't work for you, you can look into using the transaction command but that has some performance implications. https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction

All the best, Chris.

rohanmiskin · ‎01-30-2019

Is there a way where i can fetch the correlation ids first and store them in a variable and use the variable in the query.
for example a variable 'a' contains the index and correlationid details:
a=(index="xyz" "POST /data" | stats values(correlationid) by index)
Then use this in the actual query
index="xyz" correlationid=a.get_correlationid| stats values(correlationid) min(_time) AS start max(_time) AS end | eval duration=end-start

chrisyounger · ‎01-30-2019

I am not sure what you mean but this may do it: index="xyz" | eventstats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start | search "POST /data"

or

index="xyz" | eventstats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start | search "POST /data" | table *

rohanmiskin · ‎01-30-2019

@chrisyoungerjds . This was what i wanted. Thank you very much :).

chrisyounger · ‎01-30-2019

Great to hear.

How do we fetch events after getting stats on the events , and we have no more of the events in the results?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?