Splunk Search
Highlighted

How do we fetch events after getting stats on the events , and we have no more of the events in the results?

Explorer

Hi,

I'm trying to filter on the logs of spring boot application.
I want to calculate the time that a POST request takes.
The search query im trying is

index="xyz" correlationid="1234"| stats values(correlationid) min(time) AS start max(time) AS end | eval duration=end-start

Here, I manually search for the events which are POST requests, then I get the correlation ID of that request, and use it in the query.

The reason why im directly not using the string "POST" is that there are other logs too that get generated after a POST request is made till the POST returns status as successful. SO I have to consider all those events. Is there a way to search the correlation ID from all the events and then use the obtained correlation ID to fetch all the events with that correlation ID?

Example of logs
10.30 2019 | 1234 | POST /data
10.31 2019 | 1234 | data verified
10.32 2019 | 1234 | successfully posted data

I need the duration 10.32-10.30=0.02

0 Karma
Highlighted

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

SplunkTrust
SplunkTrust

Hi @rohanmiskin

You are on the right track but I think this is what you need to do:

index="xyz" correlationid="1234"| stats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start

If that doesn't work for you, you can look into using the transaction command but that has some performance implications. https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction

All the best, Chris.

View solution in original post

Highlighted

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

Explorer

Is there a way where i can fetch the correlation ids first and store them in a variable and use the variable in the query.
for example a variable 'a' contains the index and correlationid details:
a=(index="xyz" "POST /data" | stats values(correlationid) by index)
Then use this in the actual query
index="xyz" correlationid=a.getcorrelationid| stats values(correlationid) min(time) AS start max(_time) AS end | eval duration=end-start

0 Karma
Highlighted

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

SplunkTrust
SplunkTrust

I am not sure what you mean but this may do it: index="xyz" | eventstats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start | search "POST /data"

or

index="xyz" | eventstats min(_time) AS start max(_time) AS end by correlationid| eval duration=end-start | search "POST /data" | table *

0 Karma
Highlighted

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

Explorer

@chrisyoungerjds . This was what i wanted. Thank you very much :).

0 Karma
Highlighted

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

SplunkTrust
SplunkTrust

Great to hear.

0 Karma
Highlighted

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

Esteemed Legend

The answer to your question as you have literally asked it, just change stats into eventstats.

Highlighted

Re: How do we fetch events after getting stats on the events , and we have no more of the events in the results?

Explorer

Is there a way where i can fetch the correlation ids first and store them in a variable and use the variable in the query.
for example a variable 'a' contains the index and correlationid details:
a=(index="xyz" "POST /data" | stats values(correlationid) by index)
Then use this in the actual query
index="xyz" correlationid=a.getcorrelationid| stats values(correlationid) min(time) AS start max(_time) AS end | eval duration=end-start

0 Karma