Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

combine events

Mike6960
Path Finder
‎11-27-2017 07:28 AM

Hi,
I am working on a search. The data consists of requests and answers. The answer and the request have the same unique ID (message.MessageId). Each request and answer has a message.RequestId. The answer also has an message.PreviousRequestId which is the initial message.RequestId from the request.
I need to monitor whether each request has received (or not) an answer and measure the time between them (using message.CreationDate). So far i have got this :

...search....
| transaction message.MessageId
| table message.MessageId message.CreationDate message.location message.RequestId message.PreviousRequestId
This reults in events combining the request and the answer like this:
alt text
What i would like (if possible) is that per messageId i get on line with the different values so i can calculate the difference

Tags (1)
Preview file
36 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-27-2017 09:17 AM

The transaction command would automatically calculate the difference in the field duration. So adding that to your table command would do for you here.

But transaction commands are really expensive. Since, your transactions have just two events with no complicated conditions, you can try this more efficient alternative as well.

...search.... 
| eval epochCreationDate=strptime('message.CreationDate',"%Y-%m-%dT%H:%M:%S.%N%z")
| stats values(message.CreationDate) as CreationDate values(message.location) as Location values(message.RequestId) as RequestId values(message.PreviousRequestId) as PreviousRequestId range(epochCreationDate) as Duration by message.MessageId

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-27-2017 09:17 AM

The transaction command would automatically calculate the difference in the field duration. So adding that to your table command would do for you here.

But transaction commands are really expensive. Since, your transactions have just two events with no complicated conditions, you can try this more efficient alternative as well.

...search.... 
| eval epochCreationDate=strptime('message.CreationDate',"%Y-%m-%dT%H:%M:%S.%N%z")
| stats values(message.CreationDate) as CreationDate values(message.location) as Location values(message.RequestId) as RequestId values(message.PreviousRequestId) as PreviousRequestId range(epochCreationDate) as Duration by message.MessageId
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎11-28-2017 07:10 AM

Hi, this gives me duration but ik still get the results as i got them earlier (like in the screenshot) i still miss both the creationdates

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-28-2017 07:50 AM

The first part of stats values(message.CreationDate) as CreationDate should give you both the CreationDate values, unless both are same. you should be getting duration=0 in that case. If that's what happened, then use list(message.CreationDate) as CreationDate instead in your stats.

0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎11-28-2017 08:27 AM

If I use:
| eval epochCreationDate=strptime('message.CreationDate',"%Y-%m-%dT%H:%M:%S.%N%z")
| stats list(message.CreationDate) as CreationDate |stats values(message.location) as Location values(message.RequestId) as RequestId values(message.PreviousRequestId) as PreviousRequestId range(epochCreationDate) as Duration by message.MessageId

I get 'no results'

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-28-2017 08:41 AM

It should be included in existing stats, not a new one. Like this:

...search.... 
 | eval epochCreationDate=strptime('message.CreationDate',"%Y-%m-%dT%H:%M:%S.%N%z")
 | stats list(message.CreationDate) as CreationDate values(message.location) as Location values(message.RequestId) as RequestId values(message.PreviousRequestId) as PreviousRequestId range(epochCreationDate) as Duration by message.MessageId
0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎11-29-2017 02:57 AM

Great, it works. Ony thing is that 'list' has a maximum.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...