Splunk Search

How to merge two different index and calculate time for start event and event end?

Sekhar
Explorer

I have two event 1 index= non prod source=test.log "recived msg" | fields _time batchid 

Event 2 index =non-agent source=test1log "acknowledgement msg" |fields _time batch I'd 

 

Calculate the time for start event and end event more then 30 sec

 

 

Labels (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

(index= non prod source=test.log "recived msg")
OR (index =non-agent source=test1log "acknowledgement msg")
| eval which=if(match(_raw, "received msg"), "received", "acknowledged")
| stats range(_time) dc(which) AS whiches BY batchid
| where whiches>1 AND range>30

View solution in original post

0 Karma

woodcock
Esteemed Legend

(index= non prod source=test.log "recived msg")
OR (index =non-agent source=test1log "acknowledgement msg")
| eval which=if(match(_raw, "received msg"), "received", "acknowledged")
| stats range(_time) dc(which) AS whiches BY batchid
| where whiches>1 AND range>30

0 Karma

Sekhar
Explorer

index= non prod source=test.log "recived msg")
OR (index =non-agent source=test1log "acknowledgement msg")
| eval which=if(match(_raw, "received msg"), "received", "acknowledged")
| stats  vaules (_time) as start time as max(_time) as 
Endtime values(which) as msg by batch Id

 Getting below result

Batchid   msg       

Bid123.    Received msg

 Bid23345.     Received msg

                             acknowledged

 

I required the only which batchid having recived msg and acknowledged those count duration> 30 sec

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You have been given a couple of options as to how to find the batches which exceed 30 seconds. You appear to have adopted neither one. Perhaps you should start by using one of the solutions?

0 Karma

Sekhar
Explorer

I tried below query 

index=x source type=xx "saved msg") OR (index=y source type=y " recived msg") | stats values(_time) as time values(actionid) as actionid values(batchid) as batchid by manid | eval duration = max(time) - min(time) | stats count count(eval(duration > 30)) as exceeded

 

Getting result count saved msg and received msg both 

I required main I'd have multiple saved msg request  but 

We required bothr saved msg and received msg by manid

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

To be honest, your requirement is confusing as you keep changing field names etc. However, does this get you closer to what you are after?

(index=x source type=xx "saved msg") OR (index=y source type=y " recived msg")
| fields _time manid index
| eval received_time=if(index="y",_time,null())
| eval saved_time=if(index="x",_time,null())
| stats min(received_time) as received_time min(saved_time) as saved_time by manid
| eval duration = saved_time - received_time
| stats count count(eval(duration > 30)) as exceeded
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Assuming batchid uniquely identifies correlated events:

(index=non prod source=test.log "recived msg") OR (index =non-agent source=test1log "acknowledgement msg")
| fields _time batchid 
| eval received_time=if(index="non prod",_time,null())
| eval acknowledged_time=if(index="non-agent",_time,null())
| stats values(received_time) as received_time values(acknowledged_time) as acknowledged_time by batchid
| eval elapsed_time=acknowledged_time-received_time
0 Karma

Sekhar
Explorer

Only displayed batch I'd column vaules recivedtime and acknowledgement time column getting empty vaules 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share more accurate representations of the events from both indexes and the search which is failing.

Please use a code block </> so that formatting information is not lost.

0 Karma

Sekhar
Explorer

Start event 

Index= nonprof source =mps-test | spath application="testapp" " saved msg" SVD | extract fields  actionid ,batchid ,manid and status | table _time batchid manid actionid status

End event 

Index=testprod sourcetypr=testlogs source=test eventhandler " test passed" "msg recived" | extract fields manid actionid | table _time manid actionid 

Function

Calculate the diffe bw start event and end event grouped by manid. And count number mandate exceeding different above 30 seconds 

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK so that looks like an approximation of your SPL, so what you need to do approximately, is group by manid.

If you provide a more accurate listing of your SPL searches, I might be able to be more specific!

0 Karma

Sekhar
Explorer

Calculate the diffe bw start event and end event grouped by manid. And count number mandate exceeding different above 30 seconds 

Based on above two event  will perform the above condition 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What you provided above are not events, they are approximations of the SPL searches you used to retrieve the events. If you want help, you need to provide information that is useful to those of us endeavouring to assist you, not just repeat what you have already said.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...