Splunk Search

How to correlate the results of two searches?

sebasti1aan
New Member

Hi all,

We have two reverse proxies, one front, one back. They both log http requests and responses to the same index. Each request has a unique-ID that is the same on the front and back. I would like to correlate the front and back requests with the same unique-ID. So the two searches are something like this:

 

 

 

index=rpx proxy=front unique_id=*
index=rpx proxy=back unique_id=*

 

 

 

Log lines would then look something like this (shortened for brevity):

 

 

 

proxy=front, unique_id=123456, time_taken=2ms
proxy=back, unique_id=123456, time_taken=5ms

 

 

 

My goal is to have the delta time of the time_taken field and then display it in for instance a timechart avg. Maybe I should do the one search and correlate from the time_taken field from there?

 

 

 

Labels (1)
Tags (1)
0 Karma

aasabatini
Motivator

without a dataset it's little bit complicated but you have to use this logic

index=rpx unique_id=* proxy=front OR proxy=back
| eval time_taken_back=if(proxy="back",time_taken,""), time_taken_front=if(proxy="front",time_taken,""),unique_id_back=if(proxy="back",unique_id,""), unique_id_front=if(proxy="front",unique_id,"")
| eval delta=if(unique_id_back=unique_id_front,time_taken_back-time_taken_front,"")
| stats values(delta) as delta by unique_id,_time
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

sebasti1aan
New Member

Thanks I will try it out and report back 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...