Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to correlate/compare four different fields from two different events, visualize the events which are not matching, and count values for a different field?

murthychitturi
New Member
‎05-04-2016 02:43 PM

I have a requirement to check for the events that haven't received any response(event-2) for my request(event-1). When a request to aggregator happens, it logs the event as event 1 with fields ctx.msg= "message sent with aggregator id "and aggregator id = "some dynamic number" and when response from aggregator comes it logs as event -2 with parameters or fields ctx.msg="Delivery receipt" and ctx.props.id="value of aggregator id in request event"

Also, I have a requirement to find how many response events happened with specific error codes in the reponse event and count the number of events with different error codes.
event-1- Request

{
"v" : "1.0.1",
"time" : "2016-05-03T15:26:15.969Z",
"level" : "INFO",
"thread" : "syniverse-1",
"loggerName" : "com.sms.gateway.SmppGateway",
"id" : "daf753f3-fb3a-41a7-a217-a8ca1eca4e96",
"ctx" : {
"msg" : "Message sent with aggregator id",
"props" : 
{ "Aggregator Id" : "102420318801461823028868" } 
}
}
event-2- response 
{
"v" : "1.0.1",
"time" : "2016-05-03T15:26:18.610Z",
"level" : "INFO",
"thread" : "ExecutorService-1",
"loggerName" : "com.sms.gateway.service.DeliveryReceiptHandlerService",
"ctx" : {
"msg" : "DeliveryReceipt:",
"props" : 
{ "sub" : 1, "dlvrd" : 1, "err" : "000", "submitDate" : "1605031526", "id" : "102420318801461823028868", "state" : 2, "text" : "ext:8989-**-***", "doneDate" : "1605031526" } 
}
}

ANY HELP IS GREATLY APPRECIATED.

0 Karma
Reply

sundareshr
Legend
‎05-04-2016 06:31 PM

For the missing DeliveryReceipt report, you cold try this

.... | eval id=coalesce(id, ctx.props.id) | stats count by msg | where DeliveryReceipt=0 |

Assuming ctx.props.err is the error field, you could try

index=* msg="DeliveryReceipt" ctx.props.dlvrd=0 | stats count by ctx.props.err
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...