Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get exception data for multiple lines of Get and Update logs

EricMonkeyKing
Explorer
‎06-13-2024 06:58 AM

Hi community, can anyone help me figure out the log which Get incorrect data after Update(both get and update will log the request and response). In my case, the data can be updated multiple times. I need to guarantee all the Get can get correct data.

For example, there are 5 rows log:

1. Update A = 5,

2. Get A = 5,

3. Get A = 6,

4. Update A = 6, 

5. Get A = 6;

These logs are sorted based on time. Obviously the result obtained in the third row is incorrect, it should return A = 5.

The sample data is like:

idvaluetimeoperation
124945912FALSE1718280482get
124945938FALSE1718280373get
124945938FALSE1718280373update
124945938null1718280363get
124945937FALSE1718280348get
124945937FALSE1718280348update
124945937null1718280337get
124945936FALSE1718280330get
124945936FALSE1718280330update

 

Both id=124945937 and id=124945936 are correct since the obtained value after Update operation is same as Update value(false) even though the previous obtained value(null) which is before Update operation does not equal to Update value. Can ignore the Get operation if there is no Update operation before. Can anyone help? Thanks in advance^^

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-13-2024 08:01 PM

Something like this should work if the timestamps are unique for each id:

index=mylogs
| sort + _time
| streamstats latest(eval(if(operation="update",value,NULL))) as Current by id 
| eval STATUS=case(isnull(Current),"OK",Current=value,"OK",1=1,"FAIL")

 

With sample data (adjusted slightly for demo purposes and unique timestamps):

 

| makeresults | eval id=124945912 | eval value="FALSE" | eval _time=1718280482 | eval operation="get"
| append [| makeresults | eval id=124945938 | eval value="FALSE" | eval _time=1718280373 | eval operation="get"]
| append [| makeresults | eval id=124945938 | eval value="FALSE" | eval _time=1718280373 | eval operation="update"]
| append [| makeresults | eval id=124945938 | eval value="null" | eval _time=1718280363 | eval operation="get"]
| append [| makeresults | eval id=124945937 | eval value="FALSE" | eval _time=1718280350 | eval operation="get"]
| append [| makeresults | eval id=124945937 | eval value="TRUE" | eval _time=1718280349 | eval operation="update"]
| append [| makeresults | eval id=124945937 | eval value="FALSE" | eval _time=1718280348 | eval operation="update"]
| append [| makeresults | eval id=124945937 | eval value="null" | eval _time=1718280337 | eval operation="get"]
| append [| makeresults | eval id=124945936 | eval value="FALSE" | eval _time=1718280331 | eval operation="get"]
| append [| makeresults | eval id=124945936 | eval value="FALSE" | eval _time=1718280330 | eval operation="update"]
| sort + _time
| streamstats latest(eval(if(operation="update",value,NULL))) as Current by id 
| eval STATUS=case(isnull(Current),"OK",Current=value,"OK",1=1,"FAIL")

 


 

Paul van der Eerden,
Breaking software for over 20 years.

View solution in original post

Reply
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-13-2024 08:01 PM

Something like this should work if the timestamps are unique for each id:

index=mylogs
| sort + _time
| streamstats latest(eval(if(operation="update",value,NULL))) as Current by id 
| eval STATUS=case(isnull(Current),"OK",Current=value,"OK",1=1,"FAIL")

 

With sample data (adjusted slightly for demo purposes and unique timestamps):

 

| makeresults | eval id=124945912 | eval value="FALSE" | eval _time=1718280482 | eval operation="get"
| append [| makeresults | eval id=124945938 | eval value="FALSE" | eval _time=1718280373 | eval operation="get"]
| append [| makeresults | eval id=124945938 | eval value="FALSE" | eval _time=1718280373 | eval operation="update"]
| append [| makeresults | eval id=124945938 | eval value="null" | eval _time=1718280363 | eval operation="get"]
| append [| makeresults | eval id=124945937 | eval value="FALSE" | eval _time=1718280350 | eval operation="get"]
| append [| makeresults | eval id=124945937 | eval value="TRUE" | eval _time=1718280349 | eval operation="update"]
| append [| makeresults | eval id=124945937 | eval value="FALSE" | eval _time=1718280348 | eval operation="update"]
| append [| makeresults | eval id=124945937 | eval value="null" | eval _time=1718280337 | eval operation="get"]
| append [| makeresults | eval id=124945936 | eval value="FALSE" | eval _time=1718280331 | eval operation="get"]
| append [| makeresults | eval id=124945936 | eval value="FALSE" | eval _time=1718280330 | eval operation="update"]
| sort + _time
| streamstats latest(eval(if(operation="update",value,NULL))) as Current by id 
| eval STATUS=case(isnull(Current),"OK",Current=value,"OK",1=1,"FAIL")

 


 

Paul van der Eerden,
Breaking software for over 20 years.
Reply
Solved! Jump to solution

EricMonkeyKing
Explorer
‎06-20-2024 12:55 AM

That perfectly resolved my problem. Many thanks!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...