Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syntax help to get distinct results from two queries from two different timeframes

JHorst
New Member
‎10-07-2022 08:28 AM

Hello all,

I would like a single splunk query that does the following:

  • Query "APP_A" for a specific log message, returning two values (key, timestamp)
  • Query "APP_B" for a specific log message, returning two values (key, timestamp)
  • Data takes roughly five min to process from APP_A to APP_B.  So, to ensure I am getting the most accurate view of the data as possible, I want to offset the queries by 600 seconds.  This likely means configuring query one to look back five min
  • Produce a table / report that lists ONLY the keys that are distinct to each table

EX:

QUERY 1 RESULTS

a1665155553
b1665155554
c1665155555
d1665155556

 

QUERY 2 RESULTS

a1665155853
c1665155854
d1665155855
e1665155856

 

OVERY ALL RESULTS (what I really want)

b1665155554
e1665155856

 

For better or worse, here is what I have so far...

| set diff

[search
index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="<REDACTED>"
event_type="LogMessage" "msg.logger_name"="<REDACTED>" |
rex field="msg.message" "<REDACTED>" |
table masterKey timestamp |
]

[search
index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="<REDACTED>"
event_type="LogMessage" "msg.logger_name"="<REDACTED>" |
table masterKey timestamp |
]

My syntax is for sure off, because the diff is not producing distinct results.  Also, I haven't tried to tackle the time off set problem yet.  Any help would be greatly appreciated.  Thanks in advanced.

 

 

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-07-2022 11:20 PM

set is an expensive operation.  Use stats.  Assuming that you want to look back 30 minutes, and that cf_app_name can have APP_A and APP_B, where APP_A should have a 5-minute lookback.  Do something like

(index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="APP_A" earliest=-35m latest=-5m
event_type="LogMessage" "msg.logger_name"="<REDACTED>")
OR (index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="APP_B" earliest=-30m latest=now
event_type="LogMessage" "msg.logger_name"="<REDACTED>")
| rex field="msg.message" "<REDACTED>" 
| stats values(cf_app_name) by key timestamp
| where mvcount('values(cf_app_name)') = 1

Hope this helps.

Reply

johnhuang
Motivator
‎10-07-2022 08:48 AM

Could you provide some sample raw data from app_a and app_b? Do they exist in the same index?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...