Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to correlate/compare four different fields from two different events, visualize the events which are not matching, and count values for a different field?

murthychitturi
New Member
‎05-04-2016 02:43 PM

I have a requirement to check for the events that haven't received any response(event-2) for my request(event-1). When a request to aggregator happens, it logs the event as event 1 with fields ctx.msg= "message sent with aggregator id "and aggregator id = "some dynamic number" and when response from aggregator comes it logs as event -2 with parameters or fields ctx.msg="Delivery receipt" and ctx.props.id="value of aggregator id in request event"

Also, I have a requirement to find how many response events happened with specific error codes in the reponse event and count the number of events with different error codes.
event-1- Request

{
"v" : "1.0.1",
"time" : "2016-05-03T15:26:15.969Z",
"level" : "INFO",
"thread" : "syniverse-1",
"loggerName" : "com.sms.gateway.SmppGateway",
"id" : "daf753f3-fb3a-41a7-a217-a8ca1eca4e96",
"ctx" : {
"msg" : "Message sent with aggregator id",
"props" : 
{ "Aggregator Id" : "102420318801461823028868" } 
}
}
event-2- response 
{
"v" : "1.0.1",
"time" : "2016-05-03T15:26:18.610Z",
"level" : "INFO",
"thread" : "ExecutorService-1",
"loggerName" : "com.sms.gateway.service.DeliveryReceiptHandlerService",
"ctx" : {
"msg" : "DeliveryReceipt:",
"props" : 
{ "sub" : 1, "dlvrd" : 1, "err" : "000", "submitDate" : "1605031526", "id" : "102420318801461823028868", "state" : 2, "text" : "ext:8989-**-***", "doneDate" : "1605031526" } 
}
}

ANY HELP IS GREATLY APPRECIATED.

0 Karma
Reply

sundareshr
Legend
‎05-04-2016 06:31 PM

For the missing DeliveryReceipt report, you cold try this

.... | eval id=coalesce(id, ctx.props.id) | stats count by msg | where DeliveryReceipt=0 |

Assuming ctx.props.err is the error field, you could try

index=* msg="DeliveryReceipt" ctx.props.dlvrd=0 | stats count by ctx.props.err
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...