Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to fetch and compare unique id's from different events in Splunk query

rkishoreqa
Communicator
‎09-01-2021 09:44 AM

Hi team, 

 

I am creating a query to fetch a unique id from different events which are having different statuses.  If two log events are having same unique id and with status="START" & status="END" then that application has completed 1 success iteration or else it should be error. 

I created one query can't understand how to compare the 'correlationId' from different events.  Can anyone please help with the query to compare the 'correlationId' from different events along with below query.

>>  index="dev" | rex "\"Status\\\\\"\s:\s\\\\\"(?<Status>[^\\\]+)" | stats count by applicationName,Status|where Status in("START","END")

Below are the logs for 'Start' & 'End' events.  

log: [2021-09-01 04:14:10.216] INFO api [[PythonRuntime].uber.12772: [tyt-autoencoding-dev].get-terms-from-oc/processors/1.ps.BLOCKING @f089563] [event: 80961137-6734-4f7f-8750-3d27cdf2a4eb]: {
"correlationId" : "80961137-6734-4f7f-8750-3d27cdf2a4eb",
"Status" : "START",
"priority" : "INFO",
"category" : "com.tayota.api",
"elapsed" : 0,
"timestamp" : "2021-09-01T04:14:10.215Z",
"applicationName" : "Toyato Encoding API",
"applicationVersion" : "v1",
"environment" : "Development",
}

log: [2021-09-01 04:14:10.216] INFO api [[PythonRuntime].uber.12772: [tyt-autoencoding-dev].get-terms-from-oc/processors/1.ps.BLOCKING @f089563] [event: 80961137-6734-4f7f-8750-3d27cdf2a4eb]: {
"correlationId" : "80961137-6734-4f7f-8750-3d27cdf2a4eb",
"Status" : "END",
"priority" : "INFO",
"category" : "com.tayota.api",
"elapsed" : 0,
"timestamp" : "2021-09-01T04:14:10.215Z",
"applicationName" : "Toyato Encoding API",
"applicationVersion" : "v1",
"environment" : "Development",
}

Thanks in advance.

Labels (2)
Labels
0 Karma
Reply

rkishoreqa
Communicator
‎09-02-2021 08:21 AM

In other words, 
App : A1
Status : Start
correlationID : "80961137-6734-4f7f-8750-3d27cdf2a4eb"


App: A2 
Status: Start 
correlationID : "64531137-6734-4f7f-8750-3d27cdf2a4qq",

App: A2 
Status: End 
correlationID : "64531137-6734-4f7f-8750-3d27cdf2a4qq",

App : A1
Status : Start
correlationID : "80961137-6734-4f7f-8750-3d27cdf2a4eb"

Here the Apps A1,A2 having same correlationID's along with status 'START' & 'END; then we should consider it as 1 successful  instance completed.  
Otherwise we need mark it as 1 failed instance.  
Here I need the suggestion to build the query for this requirement.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-01-2021 01:47 PM

If you have correlation id extracted, you can do stats by correlation id to correlate events

0 Karma
Reply

rkishoreqa
Communicator
‎09-02-2021 03:06 AM

I can able to query the 'correlationId' and do stats on it.  But how can I match these 'correlationId's which are having 'START' and 'END' status. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-03-2021 04:16 AM 
| stats values(Status) as Status by correlationId
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top