Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syntax help to get distinct results from two queries from two different timeframes

JHorst
New Member
‎10-07-2022 08:28 AM

Hello all,

I would like a single splunk query that does the following:

  • Query "APP_A" for a specific log message, returning two values (key, timestamp)
  • Query "APP_B" for a specific log message, returning two values (key, timestamp)
  • Data takes roughly five min to process from APP_A to APP_B.  So, to ensure I am getting the most accurate view of the data as possible, I want to offset the queries by 600 seconds.  This likely means configuring query one to look back five min
  • Produce a table / report that lists ONLY the keys that are distinct to each table

EX:

QUERY 1 RESULTS

a1665155553
b1665155554
c1665155555
d1665155556

 

QUERY 2 RESULTS

a1665155853
c1665155854
d1665155855
e1665155856

 

OVERY ALL RESULTS (what I really want)

b1665155554
e1665155856

 

For better or worse, here is what I have so far...

| set diff

[search
index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="<REDACTED>"
event_type="LogMessage" "msg.logger_name"="<REDACTED>" |
rex field="msg.message" "<REDACTED>" |
table masterKey timestamp |
]

[search
index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="<REDACTED>"
event_type="LogMessage" "msg.logger_name"="<REDACTED>" |
table masterKey timestamp |
]

My syntax is for sure off, because the diff is not producing distinct results.  Also, I haven't tried to tackle the time off set problem yet.  Any help would be greatly appreciated.  Thanks in advanced.

 

 

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-07-2022 11:20 PM

set is an expensive operation.  Use stats.  Assuming that you want to look back 30 minutes, and that cf_app_name can have APP_A and APP_B, where APP_A should have a 5-minute lookback.  Do something like

(index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="APP_A" earliest=-35m latest=-5m
event_type="LogMessage" "msg.logger_name"="<REDACTED>")
OR (index="<REDACTED>"
cf_org_name="<REDACTED>"
cf_app_name="APP_B" earliest=-30m latest=now
event_type="LogMessage" "msg.logger_name"="<REDACTED>")
| rex field="msg.message" "<REDACTED>" 
| stats values(cf_app_name) by key timestamp
| where mvcount('values(cf_app_name)') = 1

Hope this helps.

Reply

johnhuang
Motivator
‎10-07-2022 08:48 AM

Could you provide some sample raw data from app_a and app_b? Do they exist in the same index?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...