Splunk Search

Why does this generic search not return results that are returned in a more specific search?

scaparelli
Explorer

I am developing a query that shows stats for events with the same orderId. There is a flaw though. When I run the query, I get results with only one event for an orderId, but when I take the orderId associated to only one event and put it in the original query, the result comes up with 2 events. Here are my queries and results:

(index=k8s_main LogType="KafkaMessageProcessedSuccess" message="OrderLineDestinationChangeRequested" Environment="PROD") OR (index=k8s_main container_name=fraud-single-proxy-listener message="Sending a message to kafka topic=order-events-avro*OrderLineDestinationChangeRequested*")
| rename contextMap.orderId AS nefiOrderId OrderNumber AS omsOrderId
| rename contextMap.requestId AS nefiRequestId NordRequestId AS omsRequestId
| rename OrderLineId as omsOrderLineId
| rex field=message "\"orderLineId\": \"(?<nefiOrderLineId>.*?)\", "
| eval orderLineId = coalesce(nefiOrderLineId, omsOrderLineId)
| eval requestId = mvappend(nefiRequestId, omsRequestId)
| eval orderId = coalesce(nefiOrderId, omsOrderId)
| stats dc(_time) AS eventCount values(_time) AS eventTime values(orderLineId) AS orderLineId values(requestId) AS requestId BY orderId
| where eventCount = 1

Screen Shot 2022-08-16 at 10.58.45 AM.png

Second query with the orderId in the initial search: 

(index=k8s_main LogType="KafkaMessageProcessedSuccess" message="OrderLineDestinationChangeRequested" Environment="PROD" 381263531) OR (index=k8s_main container_name=fraud-single-proxy-listener message="Sending a message to kafka topic=order-events-avro*OrderLineDestinationChangeRequested*" 381263531)
| rename contextMap.orderId AS nefiOrderId OrderNumber AS omsOrderId
| rename contextMap.requestId AS nefiRequestId NordRequestId AS omsRequestId
| rename OrderLineId as omsOrderLineId
| rex field=message "\"orderLineId\": \"(?<nefiOrderLineId>.*?)\", "
| eval orderLineId = coalesce(nefiOrderLineId, omsOrderLineId)
| eval requestId = mvappend(nefiRequestId, omsRequestId)
| eval orderId = coalesce(nefiOrderId, omsOrderId)
| stats dc(_time) AS eventCount values(_time) AS eventTime values(orderLineId) AS orderLineId values(requestId) AS requestId BY orderId

Screen Shot 2022-08-16 at 11.00.07 AM.png

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share the two events in code blocks </> as I suspect it is something to do with the values extracted from them?

0 Karma

scaparelli
Explorer
{"instant":{"epochSecond":1660665846,"nanoOfSecond":651267000},"thread":"inbound-listener-2","level":"INFO","loggerName":"com.nordstrom.fraud.fsp.listener.kafka.producer.KafkaProducer","message":"Sending a message to kafka topic=order-events-avro, messageKey=381263531, headers={AppId=APP02253, EventTime=1660665846651, Geolocation=47.613040, -122.334092, HEADER_GROUPING_ITEM_COUNT_KEY=1, HEADER_GROUPING_ITEM_INDEX=1, Id=OsOrsa3tjPJpBFwVQp6k56, Nord-Country-Code=US, Nord-Request-Id=16c555d0-a4d6-4059-9aec-9c015d9ce935, OmsModernStack=true, SchemaId=, SystemTime=1660665846651, Type=OrderLineChangeFraudApproved}, payload={\"orderNumber\": \"381263531\", \"orderLineId\": \"6c262fdae7bded09652eb32cf56546cb42d7e6cbc4f35625985a05b8ed2cda88\", \"serviceTicketId\": \"16c555d0-a4d6-4059-9aec-9c015d9ce935\", \"approvalDetails\": \"FRAUD_APPROVED\", \"eventTime\": 2022-08-16T16:04:06.651Z, \"source\": {\"channelCountry\": \"US\", \"channel\": \"OMNI\", \"platform\": \"CSR_PHONE\", \"feature\": \"OrderLineDestinationChangeRequested\", \"serviceName\": null, \"store\": null, \"register\": null}}","endOfBatch":false,"loggerFqcn":"org.apache.logging.slf4j.Log4jLogger","contextMap":{"aggregationGroupId":"16c555d0-a4d6-4059-9aec-9c015d9ce935","countryCode":"US","orderId":"381263531","requestId":"16c555d0-a4d6-4059-9aec-9c015d9ce935"},"threadId":334,"threadPriority":5}
NordClientId="APP03176"|LogCategory="Information"|LogType="KafkaMessageProcessedSuccess"|message="OrderLineDestinationChangeRequested"|ServiceTicketId="16c555d0-a4d6-4059-9aec-9c015d9ce935"|OrderNumber="381263531"|OrderLineId="6c262fdae7bded09652eb32cf56546cb42d7e6cbc4f35625985a05b8ed2cda88"|EventTime="08/16/2022 16:03:14"|KafkaGroupId="Care-CustomerOrderModificationRequestConsumerDynamo-prod"|NordRequestId="16c555d0-a4d6-4059-9aec-9c015d9ce935"|ServerTimestamp="2022-08-16T16:03:15.8035047Z"|NordCountryCode="US"|Environment="PROD"|AppName="customerordermodificationrequestconsumerdynamo-prod"|Pod="release-branch-customerordermodificationrequestconsumerdynamo-prod"|KafkaEventId="16c555d0-a4d6-4059-9aec-9c015d9ce935_1"|KafkaEventType="OrderLineDestinationChangeRequested"|KafkaEventSystemTime="1660665795625"
0 Karma

yuanliu
SplunkTrust
SplunkTrust

@scaparelli wrote:

 

{"instant":{"epochSecond":1660665846,"nanoOfSecond":651267000},"thread":"inbound-listener-2","level":"INFO","loggerName":"com.nordstrom.fraud.fsp.listener.kafka.producer.KafkaProducer","message":"Sending a message to kafka topic=order-events-avro, messageKey=381263531, headers={AppId=APP02253, EventTime=1660665846651, Geolocation=47.613040, -122.334092, HEADER_GROUPING_ITEM_COUNT_KEY=1, HEADER_GROUPING_ITEM_INDEX=1, Id=OsOrsa3tjPJpBFwVQp6k56, Nord-Country-Code=US, Nord-Request-Id=16c555d0-a4d6-4059-9aec-9c015d9ce935, OmsModernStack=true, SchemaId=, SystemTime=1660665846651, Type=OrderLineChangeFraudApproved}, payload={\"orderNumber\": \"381263531\", \"orderLineId\": \"6c262fdae7bded09652eb32cf56546cb42d7e6cbc4f35625985a05b8ed2cda88\", \"serviceTicketId\": \"16c555d0-a4d6-4059-9aec-9c015d9ce935\", \"approvalDetails\": \"FRAUD_APPROVED\", \"eventTime\": 2022-08-16T16:04:06.651Z, \"source\": {\"channelCountry\": \"US\", \"channel\": \"OMNI\", \"platform\": \"CSR_PHONE\", \"feature\": \"OrderLineDestinationChangeRequested\", \"serviceName\": null, \"store\": null, \"register\": null}}","endOfBatch":false,"loggerFqcn":"org.apache.logging.slf4j.Log4jLogger","contextMap":{"aggregationGroupId":"16c555d0-a4d6-4059-9aec-9c015d9ce935","countryCode":"US","orderId":"381263531","requestId":"16c555d0-a4d6-4059-9aec-9c015d9ce935"},"threadId":334,"threadPriority":5}

 


This event should be impossible to be picked in either search.  It doesn't match LogType="KafkaMessageProcessedSuccess" because there is no LogType field, it also doesn't match container_name=fraud-single-proxy-listener because there is no container_name field.  These two terms exist in both searches.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The last line of the first query limits the results to those with a single event for each orderId.  The second query does not have that where command so orderIds with two or more events are shown.

---
If this reply helps you, Karma would be appreciated.
0 Karma

scaparelli
Explorer

So if you look closely at the queries, I am taking the orderId from the first query that has the `where` statement, and using it the exact same query without the `where` parameters but in the base search.

The second query comes up with 2 events for the orderId whereas the first comes up with 1 event for the orderId.

My question is why?

The logs for that orderId should not exist in the first query result

0 Karma
Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...