Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to fetch and compare unique id's from different events in Splunk query

rkishoreqa
Communicator
‎09-01-2021 09:44 AM

Hi team, 

 

I am creating a query to fetch a unique id from different events which are having different statuses.  If two log events are having same unique id and with status="START" & status="END" then that application has completed 1 success iteration or else it should be error. 

I created one query can't understand how to compare the 'correlationId' from different events.  Can anyone please help with the query to compare the 'correlationId' from different events along with below query.

>>  index="dev" | rex "\"Status\\\\\"\s:\s\\\\\"(?<Status>[^\\\]+)" | stats count by applicationName,Status|where Status in("START","END")

Below are the logs for 'Start' & 'End' events.  

log: [2021-09-01 04:14:10.216] INFO api [[PythonRuntime].uber.12772: [tyt-autoencoding-dev].get-terms-from-oc/processors/1.ps.BLOCKING @f089563] [event: 80961137-6734-4f7f-8750-3d27cdf2a4eb]: {
"correlationId" : "80961137-6734-4f7f-8750-3d27cdf2a4eb",
"Status" : "START",
"priority" : "INFO",
"category" : "com.tayota.api",
"elapsed" : 0,
"timestamp" : "2021-09-01T04:14:10.215Z",
"applicationName" : "Toyato Encoding API",
"applicationVersion" : "v1",
"environment" : "Development",
}

log: [2021-09-01 04:14:10.216] INFO api [[PythonRuntime].uber.12772: [tyt-autoencoding-dev].get-terms-from-oc/processors/1.ps.BLOCKING @f089563] [event: 80961137-6734-4f7f-8750-3d27cdf2a4eb]: {
"correlationId" : "80961137-6734-4f7f-8750-3d27cdf2a4eb",
"Status" : "END",
"priority" : "INFO",
"category" : "com.tayota.api",
"elapsed" : 0,
"timestamp" : "2021-09-01T04:14:10.215Z",
"applicationName" : "Toyato Encoding API",
"applicationVersion" : "v1",
"environment" : "Development",
}

Thanks in advance.

Labels (2)
Labels
0 Karma
Reply

rkishoreqa
Communicator
‎09-02-2021 08:21 AM

In other words, 
App : A1
Status : Start
correlationID : "80961137-6734-4f7f-8750-3d27cdf2a4eb"


App: A2 
Status: Start 
correlationID : "64531137-6734-4f7f-8750-3d27cdf2a4qq",

App: A2 
Status: End 
correlationID : "64531137-6734-4f7f-8750-3d27cdf2a4qq",

App : A1
Status : Start
correlationID : "80961137-6734-4f7f-8750-3d27cdf2a4eb"

Here the Apps A1,A2 having same correlationID's along with status 'START' & 'END; then we should consider it as 1 successful  instance completed.  
Otherwise we need mark it as 1 failed instance.  
Here I need the suggestion to build the query for this requirement.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2021 01:47 PM

If you have correlation id extracted, you can do stats by correlation id to correlate events

0 Karma
Reply

rkishoreqa
Communicator
‎09-02-2021 03:06 AM

I can able to query the 'correlationId' and do stats on it.  But how can I match these 'correlationId's which are having 'START' and 'END' status. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-03-2021 04:16 AM 
| stats values(Status) as Status by correlationId
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...