I have two message threads, each thread consists of ten messages. I need to request to display these two chains in one. The new thread must consist of ten different messages: five messages from one system, five messages from another (backup) system. Messages from the system use the same SrcMsgId value. Each system has a unique SrcMsgId within the same chain. The message chain from the backup system enters the splunk immediately after the messages from the main system. Messages from the standby system also have a Mainsys_srcMsgId value - this value is identical to the main system's SrcMsgId value. Tell me how can I display a chain of all ten messages? Perhaps first messages from the first system (main), then from the second (backup) with the display of the time of arrival at the server.
Specifically, we want to see all ten messages one after the other, in the order in which they arrived at the server. Five messages from the primary, for example: ("srcMsgId": "rwfsdfsfqwe121432gsgsfgd71") and five from the backup: ("srcMsgId": "rwfsdfsfqwe121432gsgsfgd72"). The problem is that messages from other systems also come to the server, all messages are mixed (chaotically), which is why we want to organize all messages from one system and its relative in the search. Messages from the backup system are associated with the main system only by this parameter: "Mainsys_srcMsgId" - using this key, we understand that messages come from the backup system (secondary to the main one).
Examples of messages from the primary and secondary system:
Main system:
{ "event": "Sourcetype test please", "sourcetype": "testsystem-2", "host": "some-host-123", "fields": { "messageId": "ED280816-E404-444A-A2D9-FFD2D171F32", "srcMsgId": "rwfsdfsfqwe121432gsgsfgd71", "Mainsys_srcMsgId": "", "baseSystemId": "abc1", "routeInstanceId": "abc2", "routepointID": "abc3", "eventTime": "1985-04-12T23:20:50Z", "messageType": "abc4",
..........................................................................................
Message from backup system:
{ "event": "Sourcetype test please", "sourcetype": "testsystem-2", "host": "some-host-123", "fields": { "messageId": "ED280816-E404-444A-A2D9-FFD2D171F23", "srcMsgId": "rwfsdfsfqwe121432gsgsfgd72", "Mainsys_srcMsgId": "rwfsdfsfqwe121432gsgsfgd71", "baseSystemId": "abc1", "routeInstanceId": "abc2", "routepointID": "abc3", "eventTime": "1985-04-12T23:20:50Z", "messageType": "abc4", "GISGMPRequestID": "PS000BA780816-E404-444A-A2D9-FFD2D1712345", "GISGMPResponseID": "PS000BA780816-E404-444B-A2D9-FFD2D1712345", "resultcode": "abc7", "resultdesc": "abc8" } }
When we want to combine in a query only five messages from one chain, related: "srcMsgId". We make the following request:
index="bl_logging" sourcetype="testsystem-2" | транзакция maxpause=5m srcMsgId Mainsys_srcMsgId messageId | таблица _time srcMsgId Mainsys_srcMsgId messageId продолжительность eventcount | сортировать srcMsgId_time | streamstats current=f window=1 значения (_time) as prevTime по теме | eval timeDiff=_time-prevTime | delta _time как timediff
... View more