Solved: Newbee question: Looking for start events without ...

mpjjonker · ‎12-01-2020

Our system logs an event when it receives a message (with a unique key)
Some time later our system also logs an event when we are ready (same unique key)

There are also messages in between.

I want to be able to find which messages have already arrived, but for which we do not (yet) have a "ready" event .
I now have this query

index = <our index> ApplicationName = <our application> | sort DOCID | stats first (_time) as start last (_time) as end by DOCID

And that gives a table with 3 columns, in which sometimes there is an equal value of start and end.

But I now want a list of DOCIDs that do have a start event but no end event.

gcusello · ‎12-01-2020

Hi @mpjjonker,

can you recognize the first event and ready event?

If yes, you could run a search like this:

your_search (start_event OR ready_event)
| stats count BY DOCID
| where count=1

in addition, use earliest and latest for _time in stats

index = <our index> ApplicationName = <our application> 
| stats earliest(_time) as start latest(_time) as end by DOCID

Ciao.

Giuseppe

View solution in original post

gcusello · ‎12-01-2020

Hi @mpjjonker,

can you recognize the first event and ready event?

If yes, you could run a search like this:

your_search (start_event OR ready_event)
| stats count BY DOCID
| where count=1

in addition, use earliest and latest for _time in stats

index = <our index> ApplicationName = <our application> 
| stats earliest(_time) as start latest(_time) as end by DOCID

Ciao.

Giuseppe

Newbee question: Looking for start events without end events with the same key

join

table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms