Splunk Search

How to create table based on below logs

UdayBhaskar
Engager

 

{"timestamp":"2023-06-28T11:00:13.545Z","message":"Time taken for Method1 Call : 3120","class":"com.xyz.enterprise.plans.client.v20.D2CClient","thread":"reactor-http-nio-1","level":"DEBUG","service":"product-aggregator-models","traceId":"4b2f19f625adf891","spanId":"4b2f19f625adf891"}

{"timestamp":"2023-06-28T11:00:13.901Z","message":"Time taken for Method2 : 3476","class":"com.xyz.enterprise.plans.client.v20.D2CClient","thread":"reactor-http-nio-1","level":"DEBUG","service":"product-aggregator-models","traceId":"4b2f19f625adf891","spanId":"4b2f19f625adf891"}

{"timestamp":"2023-06-28T11:00:14.43Z","message":"Time taken for Method3 Services : 4082","class":"com.xyz.enterprise.plans.client.v20.HpassClient","thread":"reactor-http-nio-4","level":"DEBUG","service":"product-aggregator-models","traceId":"4b2f19f625adf891","spanId":"4b2f19f625adf891"}

{"timestamp":"2023-06-28T11:00:14.454Z","message":"Time taken for Method4 : 4","class":"com.xyz.enterprise.plans.service.v20.InvokeAndCombineHpassD2CService","thread":"reactor-http-nio-4","level":"DEBUG","service":"product-aggregator-models","traceId":"4b2f19f625adf891","spanId":"4b2f19f625adf891"}

 



From Above Logs I wanted to create a table as below how to achieve it ?

traceIdMethod1Method2Method3Method4
4b2f19f625adf8913120347640824
Labels (5)
0 Karma
1 Solution

danspav
SplunkTrust
SplunkTrust

Hi @UdayBhaskar,

Here's some SPL that may do what you need. This search will work no matter what the method name is, as I assume that your methods won't be named "method1", "method2" etc.

 

| makeresults
| eval raw="{\"timestamp\":\"2023-06-28T11:00:13.545Z\",\"message\":\"Time taken for Method1 Call : 3120\",\"class\":\"com.xyz.enterprise.plans.client.v20.D2CClient\",\"thread\":\"reactor-http-nio-1\",\"level\":\"DEBUG\",\"service\":\"product-aggregator-models\",\"traceId\":\"4b2f19f625adf891\",\"spanId\":\"4b2f19f625adf891\"}@@@{\"timestamp\":\"2023-06-28T11:00:13.901Z\",\"message\":\"Time taken for Method2 : 3476\",\"class\":\"com.xyz.enterprise.plans.client.v20.D2CClient\",\"thread\":\"reactor-http-nio-1\",\"level\":\"DEBUG\",\"service\":\"product-aggregator-models\",\"traceId\":\"4b2f19f625adf891\",\"spanId\":\"4b2f19f625adf891\"}@@@{\"timestamp\":\"2023-06-28T11:00:14.43Z\",\"message\":\"Time taken for Method3 Services : 4082\",\"class\":\"com.xyz.enterprise.plans.client.v20.HpassClient\",\"thread\":\"reactor-http-nio-4\",\"level\":\"DEBUG\",\"service\":\"product-aggregator-models\",\"traceId\":\"4b2f19f625adf891\",\"spanId\":\"4b2f19f625adf891\"}@@@{\"timestamp\":\"2023-06-28T11:00:14.454Z\",\"message\":\"Time taken for Method4 : 4\",\"class\":\"com.xyz.enterprise.plans.service.v20.InvokeAndCombineHpassD2CService\",\"thread\":\"reactor-http-nio-4\",\"level\":\"DEBUG\",\"service\":\"product-aggregator-models\",\"traceId\":\"4b2f19f625adf891\",\"spanId\":\"4b2f19f625adf891\"}"
| makemv raw delim="@@@" | mvexpand raw | table raw | rename raw as _raw | extract | eval _time=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3NZ")
``` Above recreates the test data ```

``` Extract the Method name and duration from the message field```
| rex field=message "Time taken for (?<method>[^\s]+) (?:Call |Services )?: (?<duration>\d+)$"

``` Prefix the method names with API_ so we can refer to them later```
| eval method = "API_" . method

``` Create fields for the method, with the duration as the value```
| eval {method}=duration
| stats values(API_*) as API_* by traceId

``` Remove the "API_" prefix so we just have the method name```
| foreach API_* [|rename <<FIELD>> AS <<MATCHSTR>>]

 


This search does the following:

  • Creates the test data (you can remove this for your actual data)
  • Extracts the method name and duration. These would be good Field Extractions to implement.
  • Prefixes all the method fields with "API_"
  • Creates fields using the {field} syntax - creating method fields with the duration as the value
  • Uses stats to create the table based on traceId
  • Renames all the API_* fields back to the method names

It results in:

danspav_0-1688188870080.png

Cheers,
Daniel

View solution in original post

danspav
SplunkTrust
SplunkTrust

Hi @UdayBhaskar,

Here's some SPL that may do what you need. This search will work no matter what the method name is, as I assume that your methods won't be named "method1", "method2" etc.

 

| makeresults
| eval raw="{\"timestamp\":\"2023-06-28T11:00:13.545Z\",\"message\":\"Time taken for Method1 Call : 3120\",\"class\":\"com.xyz.enterprise.plans.client.v20.D2CClient\",\"thread\":\"reactor-http-nio-1\",\"level\":\"DEBUG\",\"service\":\"product-aggregator-models\",\"traceId\":\"4b2f19f625adf891\",\"spanId\":\"4b2f19f625adf891\"}@@@{\"timestamp\":\"2023-06-28T11:00:13.901Z\",\"message\":\"Time taken for Method2 : 3476\",\"class\":\"com.xyz.enterprise.plans.client.v20.D2CClient\",\"thread\":\"reactor-http-nio-1\",\"level\":\"DEBUG\",\"service\":\"product-aggregator-models\",\"traceId\":\"4b2f19f625adf891\",\"spanId\":\"4b2f19f625adf891\"}@@@{\"timestamp\":\"2023-06-28T11:00:14.43Z\",\"message\":\"Time taken for Method3 Services : 4082\",\"class\":\"com.xyz.enterprise.plans.client.v20.HpassClient\",\"thread\":\"reactor-http-nio-4\",\"level\":\"DEBUG\",\"service\":\"product-aggregator-models\",\"traceId\":\"4b2f19f625adf891\",\"spanId\":\"4b2f19f625adf891\"}@@@{\"timestamp\":\"2023-06-28T11:00:14.454Z\",\"message\":\"Time taken for Method4 : 4\",\"class\":\"com.xyz.enterprise.plans.service.v20.InvokeAndCombineHpassD2CService\",\"thread\":\"reactor-http-nio-4\",\"level\":\"DEBUG\",\"service\":\"product-aggregator-models\",\"traceId\":\"4b2f19f625adf891\",\"spanId\":\"4b2f19f625adf891\"}"
| makemv raw delim="@@@" | mvexpand raw | table raw | rename raw as _raw | extract | eval _time=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3NZ")
``` Above recreates the test data ```

``` Extract the Method name and duration from the message field```
| rex field=message "Time taken for (?<method>[^\s]+) (?:Call |Services )?: (?<duration>\d+)$"

``` Prefix the method names with API_ so we can refer to them later```
| eval method = "API_" . method

``` Create fields for the method, with the duration as the value```
| eval {method}=duration
| stats values(API_*) as API_* by traceId

``` Remove the "API_" prefix so we just have the method name```
| foreach API_* [|rename <<FIELD>> AS <<MATCHSTR>>]

 


This search does the following:

  • Creates the test data (you can remove this for your actual data)
  • Extracts the method name and duration. These would be good Field Extractions to implement.
  • Prefixes all the method fields with "API_"
  • Creates fields using the {field} syntax - creating method fields with the duration as the value
  • Uses stats to create the table based on traceId
  • Renames all the API_* fields back to the method names

It results in:

danspav_0-1688188870080.png

Cheers,
Daniel

UdayBhaskar
Engager

Hi @danspav 
Thanks for the reply this creates the exactly how I wanted them in the table.

But In case I wanted to have the difference between the two values on the table how I can get that?

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...