How to display/access parameters after grouping?

KAKA · ‎09-02-2022

For example I have getting splunk logs with 4 fields

Time	Event
time 1	service = "service1" \| operation = "sampleOperation1" \| responseTime = "10" \| requestId = "sampleRequestId1"
time2	service = "service2" \| operation = "sampleOperation2" \| responseTime = "60" \| requestId = "sampleRequestId2"
time3	service = "service2" \| operation = "sampleOperation2" \| responseTime = "60" \| requestId = "uniqueRequestId3"
time4	service = "service4" \| operation = "sampleOperation4" \| responseTime = "30" \| requestId = "sampleRequestId4"

My objective is to find from all the logs if count is greater then 20 for combination of (service,operation) with reponseTime>40.

Expected Output

service1 operation1 [sampleRequestId2,uniqueRequestId3]

The query I have for now is

search here......

| stats count(eval(responseTime>60)) as reponseCount
by service, operation
| eval title= case(
match(service,"service2") AND reponseCount>20, "alert1",
)
| search title=*
| table title,service

But here I cannot refer to requestId which is being dropped. Please suggest if you any solution.

ITWhisperer · ‎09-02-2022

Try this:

| eventstats count(eval(responseTime>40)) as responseCount
by service, operation
| where responseCount > 20 AND responseTime > 40

How to display/access parameters after grouping?

stats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?