Splunk Search

Newbee question: Looking for start events without end events with the same key

mpjjonker
Explorer

Our system logs an event when it receives a message (with a unique key)
Some time later our system also logs an event when we are ready (same unique key)

There are also messages in between.

I want to be able to find which messages have already arrived, but for which we do not (yet) have a "ready" event .
I now have this query


index = <our index> ApplicationName = <our application> | sort DOCID | stats first (_time) as start last (_time) as end by DOCID

And that gives a table with 3 columns, in which sometimes there is an equal value of start and end.

But I now want a list of DOCIDs that do have a start event but no end event.

Labels (2)
0 Karma
1 Solution

gcusello
Legend

Hi @mpjjonker,

can you recognize the first event and ready event?

If yes, you could run a search like this:

your_search (start_event OR ready_event)
| stats count BY DOCID
| where count=1

in addition, use earliest and latest for _time in stats

index = <our index> ApplicationName = <our application> 
| stats earliest(_time) as start latest(_time) as end by DOCID

Ciao.

Giuseppe

 

View solution in original post

gcusello
Legend

Hi @mpjjonker,

can you recognize the first event and ready event?

If yes, you could run a search like this:

your_search (start_event OR ready_event)
| stats count BY DOCID
| where count=1

in addition, use earliest and latest for _time in stats

index = <our index> ApplicationName = <our application> 
| stats earliest(_time) as start latest(_time) as end by DOCID

Ciao.

Giuseppe

 

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...