Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

working with timestamps and need to pull the records which are matching conditions

srinivasup
Explorer
‎04-19-2017 06:57 AM

I wrote a Splunk search and it's giving my expected results:

index=main sourcetype="log" 
| rename SERVICE_ID AS SUB_SERVICEID, SERVER_NAME AS SUB_SERVER_NAME, SERVERTIME AS SUB_SERVERTIME, SERVER_TIMESTAMP AS SUB_SERVER_TIMESTAMP
| join type=inner appendcols TRACKINGID_TEXT [ search index=main sourcetype="log"
| rename SERVICE_ID AS PUB_SERVICEID, BUSINESSKEY_TEXT AS PUB_BUSINESSKEYTEXT, SERVER_NAME AS PUB_SERVER_NAME, SERVERTIME AS PUB_SERVERTIME, SERVER_TIMESTAMP AS PUB_SERVER_TIMESTAMP  ]
| rex field=BUSINESSKEY_TEXT (?\d+)\|(?\d+)\|(?.+)\|(?.{19})
| eval SUB_SERVER_TIMESTAMP=strftime(SUB_SERVER_TIMESTAMP ,"%m/%d/%y %H:%M:%S")| sort  SUB_SERVER_TIMESTAMP 
| eval PUB_SERVER_TIMESTAMP=strftime(PUB_SERVER_TIMESTAMP,"%m/%d/%y %H:%M:%S")| rename Shipment as sh SAPtime as st PUB_SERVER_TIMESTAMP as PST SUB_SERVER_TIMESTAMP as SST
| table Shipment SAPtime PUB_SERVER_TIMESTAMP SUB_SERVER_TIMESTAMP

Output :
alt text

Here the question is that: sh field is the id, st is the dispatch time, and SST is the delivered time. Now we need identify the count of delivered sh id which are not in order they dispatched.

Example:
-First line has dispatched at 2017-03-29 19:11:17 and delivered at 03/30/17 07:41:30
-Third line has dispatched at 2017-03-29 19:11:20 and delivered at 03/30/17 07:41:51 (these two are proper because they followed the order they delivered.
-Second line has dispatched at 2017-03-29 19:11:24 and delivered at 03/30/17 07:41:36, here order is missed. We need to find the count of such events for each st*

Preview file
1 KB
0 Karma
Reply

cmerriman
Super Champion
‎04-19-2017 07:39 AM

i think streamstats might be what you need. something like below maybe

...|sort 0 + SST|streamstats window=1 current=f values(st) as previousST|fillnull previousST value=0|eval incorrectDispatch=if(st-previousST>0,0,1)|stats sum(incorrectDispatch) as incorrectDispatch by st
0 Karma
Reply

srinivasup
Explorer
‎04-20-2017 03:09 AM

I have used below query

...| streamstats current=f window=1 values(SST) as prevFrom | where SST < prevFrom

This is work for individual events not for many events. any suggestio.

0 Karma
Reply

srinivasup
Explorer
‎05-02-2017 06:42 PM

its not giving proper results any otherway

0 Karma
Reply

srinivasup
Explorer
‎05-23-2017 08:19 PM

We need to find out the Ids along with DispatchTime which are not dispatched in correct sequence.
ID DispatchTime
1 05/22/17 02:13:01
1 05/22/17 02:17:13
1 05/22/17 02:15:33 --- It is dispatched before 2nd event dispatch,
1 05/22/17 02:22:03
2 05/22/17 02:25:56
2 05/22/17 02:26:18
2 05/22/17 02:24:37 ------ it is dispatched before above 2 events.
3 05/22/17 02:31:19
3 05/22/17 02:50:03
3 05/22/17 02:53:29 ----- it is dispatched in wrong sequence
3 05/22/17 02:51:52
4 05/22/17 03:01:34
4 05/22/17 22:01:30
4 05/22/17 22:01:30

0 Karma
Reply

cmerriman
Super Champion
‎05-24-2017 04:44 AM

alright, i just plugged in all of those data points in a makeresults. 

 | makeresults |eval data="order=1 id=1 dt=05/22/17 02:13:01,order=2 id=1 dt=05/22/17 02:17:13,order=3 id=1 dt=05/22/17 02:15:33,order=4 id=1 dt=05/22/17 02:22:03,order=1 id=2 dt=05/22/17 02:25:56,order=2 id=2 dt=05/22/17 02:26:18,order=3 id=2 dt=05/22/17 02:24:37,order=1 id=3 dt=05/22/17 02:31:19,order=2 id=3 dt=05/22/17 02:50:03,order=3 id=3 dt=05/22/17 02:53:29,order=4 id=3 dt=05/22/17 02:51:52,order=1 id=4 dt=05/22/17 03:01:34,order=2 id=4 dt=05/22/17 22:01:30,order=3 id=4 dt=05/22/17 22:01:30"|makemv data delim=","|mvexpand data|eval _raw=data|kv|rex field=data "dt=(?<dt>.*)"|eval _time=strptime(dt,"%m/%d/%y %H:%M:%S")|sort id +order | streamstats current=f window=1 values(_time) as prevST by id  |eval prevST=if(isnull(prevST),_time,prevST)| where _time >= prevST

I think if you add ...| streamstats current=f window=1 values(st) as prevST by id |eval prevST=if(isnull(prevST),_time,prevST)| where st >= prevST it should work. just make sure that st is in epoch and isn't a string.

0 Karma
Reply

cmerriman
Super Champion
‎04-20-2017 04:46 AM

sorry, i misread the original post, but i think i might understand it better now.

...|sort 0 sh + st | streamstats current=f window=1 values(SST) as prevFrom by sh | where SST < prevFrom

from there you can count up how many there are with |stats count

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...