I have a series of differently-shaped JSON events indexed into Splunk (as JSON). They have a correlation id to link the events into "interactions".
Example events that form an interaction:
{ "correlationId": 1, "type": "start", "qty": 10, "product": "product-1", "client": "client-1" }
{ "correlationId": 1, "type": "quote", "price": 100 }
{ "correlationId": 1, "type": "quote", "price": 101 }
{ "correlationId": 1, "type": "end", "buy": "true , "qty": 1, "price": 101 }
Not every interaction will be complete, there might not be "quote" or "end" types.
Imagine I'm looking for every "interaction", that has an end which is buy, last price > 10, extracting the fields: start-qty, end-qty, price, product, client
The fields "price" and "qty" have different meanings depending on which event type it belongs to, so I need some way to rename these events before I do my search!
Is the idea to flatten it into one record by naming each field manually?
I could write something like (might be a few syntactic errors):
... | eventstats latest(price) AS BuyPrice latest(qty) As BuyQty BY correlationId | where type="start" | table correlationId, product, client, buy, BuyPrice, BuyQty
This is flattening everything onto the "start" type and using that record to build my results table. Is this the correct way of handling this? I'm conscious of the fact this will be probably doing multiple iterations of the data, when infact you could probably do just one iteration to build the result set.
How do I handle the fact that technically the "BuyPrice" column could have a way from a "quote" which was never bought? or what if I wanted to introduce the start type "qty" aswell?
Also - is it possible, once I've built my query, to give it an alias that I can use as my base search result set so I don't have to keep writing the query?
... View more