Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syntax help to get distinct results from two queries from two different timeframes

JHorst
New Member
‎10-07-2022 08:28 AM

Hello all,

I would like a single splunk query that does the following:

  • Query "APP_A" for a specific log message, returning two values (key, timestamp)
  • Query "APP_B" for a specific log message, returning two values (key, timestamp)
  • Data takes roughly five min to process from APP_A to APP_B.  So, to ensure I am getting the most accurate view of the data as possible, I want to offset the queries by 600 seconds.  This likely means configuring query one to look back five min
  • Produce a table / report that lists ONLY the keys that are distinct to each table

EX:

QUERY 1 RESULTS

a1665155553
b1665155554
c1665155555
d1665155556

 

QUERY 2 RESULTS

a1665155853
c1665155854
d1665155855
e1665155856

 

OVERY ALL RESULTS (what I really want)

b1665155554
e1665155856

 

For better or worse, here is what I have so far...

| set diff

[search
index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="<REDACTED>"
event_type="LogMessage" "msg.logger_name"="<REDACTED>" |
rex field="msg.message" "<REDACTED>" |
table masterKey timestamp |
]

[search
index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="<REDACTED>"
event_type="LogMessage" "msg.logger_name"="<REDACTED>" |
table masterKey timestamp |
]

My syntax is for sure off, because the diff is not producing distinct results.  Also, I haven't tried to tackle the time off set problem yet.  Any help would be greatly appreciated.  Thanks in advanced.

 

 

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-07-2022 11:20 PM

set is an expensive operation.  Use stats.  Assuming that you want to look back 30 minutes, and that cf_app_name can have APP_A and APP_B, where APP_A should have a 5-minute lookback.  Do something like

(index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="APP_A" earliest=-35m latest=-5m
event_type="LogMessage" "msg.logger_name"="<REDACTED>")
OR (index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="APP_B" earliest=-30m latest=now
event_type="LogMessage" "msg.logger_name"="<REDACTED>")
| rex field="msg.message" "<REDACTED>" 
| stats values(cf_app_name) by key timestamp
| where mvcount('values(cf_app_name)') = 1

Hope this helps.

Reply

johnhuang
Motivator
‎10-07-2022 08:48 AM

Could you provide some sample raw data from app_a and app_b? Do they exist in the same index?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...