Splunk Search

How to fetch and compare unique id's from different events in Splunk query

rkishoreqa
Path Finder

Hi team, 

 

I am creating a query to fetch a unique id from different events which are having different statuses.  If two log events are having same unique id and with status="START" & status="END" then that application has completed 1 success iteration or else it should be error. 

I created one query can't understand how to compare the 'correlationId' from different events.  Can anyone please help with the query to compare the 'correlationId' from different events along with below query.

>>  index="dev" | rex "\"Status\\\\\"\s:\s\\\\\"(?<Status>[^\\\]+)" | stats count by applicationName,Status|where Status in("START","END")

Below are the logs for 'Start' & 'End' events.  

log: [2021-09-01 04:14:10.216] INFO api [[PythonRuntime].uber.12772: [tyt-autoencoding-dev].get-terms-from-oc/processors/1.ps.BLOCKING @f089563] [event: 80961137-6734-4f7f-8750-3d27cdf2a4eb]: {
"correlationId" : "80961137-6734-4f7f-8750-3d27cdf2a4eb",
"Status" : "START",
"priority" : "INFO",
"category" : "com.tayota.api",
"elapsed" : 0,
"timestamp" : "2021-09-01T04:14:10.215Z",
"applicationName" : "Toyato Encoding API",
"applicationVersion" : "v1",
"environment" : "Development",
}

log: [2021-09-01 04:14:10.216] INFO api [[PythonRuntime].uber.12772: [tyt-autoencoding-dev].get-terms-from-oc/processors/1.ps.BLOCKING @f089563] [event: 80961137-6734-4f7f-8750-3d27cdf2a4eb]: {
"correlationId" : "80961137-6734-4f7f-8750-3d27cdf2a4eb",
"Status" : "END",
"priority" : "INFO",
"category" : "com.tayota.api",
"elapsed" : 0,
"timestamp" : "2021-09-01T04:14:10.215Z",
"applicationName" : "Toyato Encoding API",
"applicationVersion" : "v1",
"environment" : "Development",
}

Thanks in advance.

Labels (2)
0 Karma

rkishoreqa
Path Finder

In other words, 
App : A1
Status : Start
correlationID : "80961137-6734-4f7f-8750-3d27cdf2a4eb"


App: A2 
Status: Start 
correlationID : "64531137-6734-4f7f-8750-3d27cdf2a4qq",

App: A2 
Status: End 
correlationID : "64531137-6734-4f7f-8750-3d27cdf2a4qq",

App : A1
Status : Start
correlationID : "80961137-6734-4f7f-8750-3d27cdf2a4eb"

Here the Apps A1,A2 having same correlationID's along with status 'START' & 'END; then we should consider it as 1 successful  instance completed.  
Otherwise we need mark it as 1 failed instance.  
Here I need the suggestion to build the query for this requirement.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you have correlation id extracted, you can do stats by correlation id to correlate events

0 Karma

rkishoreqa
Path Finder

I can able to query the 'correlationId' and do stats on it.  But how can I match these 'correlationId's which are having 'START' and 'END' status. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| stats values(Status) as Status by correlationId
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...