Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does this generic search not return results that are returned in a more specific search?

scaparelli
Explorer
‎08-16-2022 10:02 AM

I am developing a query that shows stats for events with the same orderId. There is a flaw though. When I run the query, I get results with only one event for an orderId, but when I take the orderId associated to only one event and put it in the original query, the result comes up with 2 events. Here are my queries and results:

(index=k8s_main LogType="KafkaMessageProcessedSuccess" message="OrderLineDestinationChangeRequested" Environment="PROD") OR (index=k8s_main container_name=fraud-single-proxy-listener message="Sending a message to kafka topic=order-events-avro*OrderLineDestinationChangeRequested*")
| rename contextMap.orderId AS nefiOrderId OrderNumber AS omsOrderId
| rename contextMap.requestId AS nefiRequestId NordRequestId AS omsRequestId
| rename OrderLineId as omsOrderLineId
| rex field=message "\"orderLineId\": \"(?<nefiOrderLineId>.*?)\", " 
| eval orderLineId = coalesce(nefiOrderLineId, omsOrderLineId)
| eval requestId = mvappend(nefiRequestId, omsRequestId) 
| eval orderId = coalesce(nefiOrderId, omsOrderId)
| stats dc(_time) AS eventCount values(_time) AS eventTime values(orderLineId) AS orderLineId values(requestId) AS requestId BY orderId
| where eventCount = 1

Screen Shot 2022-08-16 at 10.58.45 AM.png

Second query with the orderId in the initial search: 

(index=k8s_main LogType="KafkaMessageProcessedSuccess" message="OrderLineDestinationChangeRequested" Environment="PROD" 381263531) OR (index=k8s_main container_name=fraud-single-proxy-listener message="Sending a message to kafka topic=order-events-avro*OrderLineDestinationChangeRequested*" 381263531)
| rename contextMap.orderId AS nefiOrderId OrderNumber AS omsOrderId
| rename contextMap.requestId AS nefiRequestId NordRequestId AS omsRequestId
| rename OrderLineId as omsOrderLineId
| rex field=message "\"orderLineId\": \"(?<nefiOrderLineId>.*?)\", " 
| eval orderLineId = coalesce(nefiOrderLineId, omsOrderLineId)
| eval requestId = mvappend(nefiRequestId, omsRequestId) 
| eval orderId = coalesce(nefiOrderId, omsOrderId)
| stats dc(_time) AS eventCount values(_time) AS eventTime values(orderLineId) AS orderLineId values(requestId) AS requestId BY orderId

Screen Shot 2022-08-16 at 11.00.07 AM.png

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-17-2022 12:48 AM

Can you share the two events in code blocks </> as I suspect it is something to do with the values extracted from them?

0 Karma
Reply

scaparelli
Explorer
‎08-17-2022 09:15 AM 
{"instant":{"epochSecond":1660665846,"nanoOfSecond":651267000},"thread":"inbound-listener-2","level":"INFO","loggerName":"com.nordstrom.fraud.fsp.listener.kafka.producer.KafkaProducer","message":"Sending a message to kafka topic=order-events-avro, messageKey=381263531, headers={AppId=APP02253, EventTime=1660665846651, Geolocation=47.613040, -122.334092, HEADER_GROUPING_ITEM_COUNT_KEY=1, HEADER_GROUPING_ITEM_INDEX=1, Id=OsOrsa3tjPJpBFwVQp6k56, Nord-Country-Code=US, Nord-Request-Id=16c555d0-a4d6-4059-9aec-9c015d9ce935, OmsModernStack=true, SchemaId=, SystemTime=1660665846651, Type=OrderLineChangeFraudApproved}, payload={\"orderNumber\": \"381263531\", \"orderLineId\": \"6c262fdae7bded09652eb32cf56546cb42d7e6cbc4f35625985a05b8ed2cda88\", \"serviceTicketId\": \"16c555d0-a4d6-4059-9aec-9c015d9ce935\", \"approvalDetails\": \"FRAUD_APPROVED\", \"eventTime\": 2022-08-16T16:04:06.651Z, \"source\": {\"channelCountry\": \"US\", \"channel\": \"OMNI\", \"platform\": \"CSR_PHONE\", \"feature\": \"OrderLineDestinationChangeRequested\", \"serviceName\": null, \"store\": null, \"register\": null}}","endOfBatch":false,"loggerFqcn":"org.apache.logging.slf4j.Log4jLogger","contextMap":{"aggregationGroupId":"16c555d0-a4d6-4059-9aec-9c015d9ce935","countryCode":"US","orderId":"381263531","requestId":"16c555d0-a4d6-4059-9aec-9c015d9ce935"},"threadId":334,"threadPriority":5}
NordClientId="APP03176"|LogCategory="Information"|LogType="KafkaMessageProcessedSuccess"|message="OrderLineDestinationChangeRequested"|ServiceTicketId="16c555d0-a4d6-4059-9aec-9c015d9ce935"|OrderNumber="381263531"|OrderLineId="6c262fdae7bded09652eb32cf56546cb42d7e6cbc4f35625985a05b8ed2cda88"|EventTime="08/16/2022 16:03:14"|KafkaGroupId="Care-CustomerOrderModificationRequestConsumerDynamo-prod"|NordRequestId="16c555d0-a4d6-4059-9aec-9c015d9ce935"|ServerTimestamp="2022-08-16T16:03:15.8035047Z"|NordCountryCode="US"|Environment="PROD"|AppName="customerordermodificationrequestconsumerdynamo-prod"|Pod="release-branch-customerordermodificationrequestconsumerdynamo-prod"|KafkaEventId="16c555d0-a4d6-4059-9aec-9c015d9ce935_1"|KafkaEventType="OrderLineDestinationChangeRequested"|KafkaEventSystemTime="1660665795625"
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-18-2022 02:45 AM
@scaparelli wrote:

 

{"instant":{"epochSecond":1660665846,"nanoOfSecond":651267000},"thread":"inbound-listener-2","level":"INFO","loggerName":"com.nordstrom.fraud.fsp.listener.kafka.producer.KafkaProducer","message":"Sending a message to kafka topic=order-events-avro, messageKey=381263531, headers={AppId=APP02253, EventTime=1660665846651, Geolocation=47.613040, -122.334092, HEADER_GROUPING_ITEM_COUNT_KEY=1, HEADER_GROUPING_ITEM_INDEX=1, Id=OsOrsa3tjPJpBFwVQp6k56, Nord-Country-Code=US, Nord-Request-Id=16c555d0-a4d6-4059-9aec-9c015d9ce935, OmsModernStack=true, SchemaId=, SystemTime=1660665846651, Type=OrderLineChangeFraudApproved}, payload={\"orderNumber\": \"381263531\", \"orderLineId\": \"6c262fdae7bded09652eb32cf56546cb42d7e6cbc4f35625985a05b8ed2cda88\", \"serviceTicketId\": \"16c555d0-a4d6-4059-9aec-9c015d9ce935\", \"approvalDetails\": \"FRAUD_APPROVED\", \"eventTime\": 2022-08-16T16:04:06.651Z, \"source\": {\"channelCountry\": \"US\", \"channel\": \"OMNI\", \"platform\": \"CSR_PHONE\", \"feature\": \"OrderLineDestinationChangeRequested\", \"serviceName\": null, \"store\": null, \"register\": null}}","endOfBatch":false,"loggerFqcn":"org.apache.logging.slf4j.Log4jLogger","contextMap":{"aggregationGroupId":"16c555d0-a4d6-4059-9aec-9c015d9ce935","countryCode":"US","orderId":"381263531","requestId":"16c555d0-a4d6-4059-9aec-9c015d9ce935"},"threadId":334,"threadPriority":5}

 

This event should be impossible to be picked in either search.  It doesn't match LogType="KafkaMessageProcessedSuccess" because there is no LogType field, it also doesn't match container_name=fraud-single-proxy-listener because there is no container_name field.  These two terms exist in both searches.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-16-2022 10:59 AM

The last line of the first query limits the results to those with a single event for each orderId.  The second query does not have that where command so orderIds with two or more events are shown.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

scaparelli
Explorer
‎08-16-2022 01:37 PM

So if you look closely at the queries, I am taking the orderId from the first query that has the `where` statement, and using it the exact same query without the `where` parameters but in the base search.

The second query comes up with 2 events for the orderId whereas the first comes up with 1 event for the orderId.

My question is why?

The logs for that orderId should not exist in the first query result

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...