Splunk Search

How to search Data correlation solution

cecilia_cheng1
Explorer

Hi Community,

I have this problem about data correlation, here's the detail.

The source file is a test result summary named summary.xml, and it's not time sensitive.  Splunk will parse the file to some events like event1,2,3,etc.  The test info is in event 1 and results are in even 2,3,4. My goal is to count the results of all tests under the same info. I don't know how to link these info. 

What kind of SPL search I could use?

For example:

Summary1.xml:

event1 test info: alpha
event2 Pass  
event3 Fail  
event4 Fail  

Summary2.xml:

event1 test info: beta
event2 Pass  
event3 Pass  
event4 Pass  

 

The results I expected:

Test info results
alpha pass:1, failed:2
beta pass:   3, failed:0

 

Labels (4)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @cecilia_cheng1,

you should in gest data in a way that every file is an event, in this way you have all the information in the same event,

but anyway,the file name is always different from the previous ones or there could be more files with the same name, in other words, can we use the source as a unique key?

Then, could you share some sample of your data?

Ciao.

Giuseppe

0 Karma

cecilia_cheng1
Explorer

Hi @gcusello ,

Sorry for the vague description. I post the detail pic as follows:

The summary is gathered from different host and stored in different DIR with same name.

The source name is not a unique key.  A test file is the result of a host testing a load multiple times.

I have extract the info I need which are loadname and result1. But these two infos do not shown in the same line... It is impossibe to count result1 by loadname, shown as pic 3

Pic1:

commu1.png

pic2:

conmmu2.png

pic3:

conmmu3.png

0 Karma

Software-Simian
Path Finder

sorry but your data quality is really bad....

 

you have fields with NULL values and you are using those fields for "by" clauses

0 Karma

cecilia_cheng1
Explorer

Agreed... Those are the orginal data. The info I needed is not showned at the same time, they're not in the same line... That's why there are so many NULL... 😭

0 Karma

Software-Simian
Path Finder

well then you need to provide us with amapping of Columns and their values and how they should be mapped....ATM this is not possible. No where in your screenshots we can see something about alpha and beta

 

If you are familiar with a bit of coding write some pseudo code here.

0 Karma

cecilia_cheng1
Explorer

Not quite understand what info  I should provid...

Something like the following, but need to replace source column with loadname.

If this requirement is impossible, should I write a script to preprocess the data or some other solution?

conmmu4.png

0 Karma

Software-Simian
Path Finder

you need to provide more information on the data...

 

your screenshots include the same query...how can you differntiate between event A that provides grouping data for tests and the test results themselves?

0 Karma

Software-Simian
Path Finder

Hi you are missing some data in the columns with alpha and beta.

EventResultTest Type
event2Passalpha
event3Failalpha
event4Failalpha
event2Passbeta
event3Passbeta
event4Passbeta

 

that is what you should aim for as you column headers as far as i see from your post are misleading
with that you can do:

| stats count by "Test Type" Result

0 Karma

cecilia_cheng1
Explorer

Hi @Software-Simian ,

Thank you for your quick reply.

That's the tricky part, cuz the test type and test resuls are not in the same event... So I was wondering if there's a command or something that can link these info together.

BR.

Cecilia

0 Karma

Software-Simian
Path Finder

Anyhow, you need a series of fields as unique identifier...and event2 is not unique and the event line only states event2 and Pass...but not if it belongs to alpha or beta...

You need real headers...your tables start with content, that makes it hard to answer

are all summaries at least in the same index? Or are those events volatile and not persistent?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...