Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join consecutive events in same index

intelli2019
New Member
‎07-27-2019 12:03 PM

Hi,
I thought this would be easy but no!
I'm doing the query below on the Sample data below but the FileTime_END value I'm getting is 15:29:00 for every line (don't have enough points to attach images or post links sorry).
What am I doing wrong? Also is there a better way to do this without a JOIN?

Cheers guys.

index="file-times" State=Start | table Service FileTime State | rename Service as Service_Start FileTime as Filetime_Start, State as State_Start
| join Service type=outer [search index="file-times" State=END | table FileTime State | rename FileTime as Filetime_End, State as State_End]

Sample Log/Index Data:
23/07/2019 09:34:00, Service=RR, FileTime=9:33:45, State=START
23/07/2019 10:31:00, Service=RR, FileTime=10:30:45, State=END
23/07/2019 11:01:00, Service=HHR, FileTime=11:00:32, State=START
23/07/2019 11:31:00, Service=HHR, FileTime=11:30:32, State=END
23/07/2019 12:01:00, Service=LPE, FileTime=12:00:32, State=START
23/07/2019 12:55:00, Service=LPE, FileTime=12:54:32, State=END
23/07/2019 12:01:00, Service=SMURF, FileTime=12:00:32, State=START
23/07/2019 13:01:00, Service=SMURF, FileTime=13:00:00, State=END
23/07/2019 14:00:00, Service=TEST, FileTime=14:05:00, State=START
23/07/2019 14:30:00, Service=TEST, FileTime=14:29:00, State=END
23/07/2019 15:00:00, Service=TEST1, FileTime=15:05:00, State=START
23/07/2019 15:30:00, Service=TEST1, FileTime=15:29:00, State=END

0 Karma
Reply

woodcock
Esteemed Legend
‎07-29-2019 10:08 PM

Like this:

| makeresults 
| eval raw="time=23/07/2019T09:34:00,Service=RR,FileTime=9:33:45,State=START time=23/07/2019T10:31:00,Service=RR,FileTime=10:30:45,State=END time=23/07/2019T11:01:00,Service=HHR,FileTime=11:00:32,State=START time=23/07/2019T11:31:00,Service=HHR,FileTime=11:30:32,State=END time=23/07/2019T12:01:00,Service=LPE,FileTime=12:00:32,State=START time=23/07/2019T12:55:00,Service=LPE,FileTime=12:54:32,State=END time=23/07/2019T12:01:00,Service=SMURF,FileTime=12:00:32,State=START time=23/07/2019T13:01:00,Service=SMURF,FileTime=13:00:00,State=END time=23/07/2019T14:00:00,Service=TEST,FileTime=14:05:00,State=START time=23/07/2019T14:30:00,Service=TEST,FileTime=14:29:00,State=END time=23/07/2019T15:00:00,Service=TEST1,FileTime=15:05:00,State=START time=23/07/2019T15:30:00,Service=TEST1,FileTime=15:29:00,State=END"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| eval _time = strptime(time, "%d/%m/%YT%H:%M:%S")
| sort 0 - _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| reverse
| stats list(*) AS * BY Service
0 Karma
Reply

nathc100
New Member
‎08-05-2019 04:57 PM

Hi woodcock,
Sorry mate I'm pretty new at this. Could you explain what your query does a little please?
It looks like you're creating some raw data to query but this would be coming from a daily log file in my case.
Cheers
Nathan

0 Karma
Reply

woodcock
Esteemed Legend
‎08-05-2019 05:00 PM

See line 10? It explains it. You replace everything through line 10 with your main search and then use lines 12-13 to do what you were asking.

0 Karma
Reply

intelli2019
New Member
‎07-27-2019 10:24 PM

Thanks! I will try this. The production index will have multiple days data in it. To get min and max filetime by service for each day I just add a date field to the end of the query? I.e “by Service, Date” instead of just “by Service” ?

0 Karma
Reply

HiroshiSatoh
Champion
‎07-27-2019 08:16 PM

Try this!

index="file-times"
|stats max(FILETIME) as Filetime_End,min(FILETIME) as Filetime_Start by Service

You can also use the transaction command.

0 Karma
Reply

intelli2019
New Member
‎07-27-2019 10:25 PM

Thanks! I will try this. The production index will have multiple days data in it. To get min and max filetime by service for each day I just add a date field to the end of the query? I.e “by Service, Date” instead of just “by Service” ?

0 Karma
Reply

HiroshiSatoh
Champion
‎07-28-2019 04:27 AM

index="file-times"
|eval date=substr(FILETIME,1,10)
|stats max(FILETIME) as Filetime_End,min(FILETIME) as Filetime_Start by Service,date

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...