Join events with different field names but with sa...

marcoscala · ‎03-29-2012

Hi All!

I have the problem to rebuild transactions from postfix/amavis logs, where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing requests is queued in the pipeline. I have in an event the original "queue_id" and a new "queued_as" id, that in a next event will appear as a new "queue_id".

Transactions are already quite complex, because to link the several different events I have to use several fields: from (message sender), queue_id, message_id, thread_id(of amavis logs, correlated by message_id to postfix), and then if in an amavis event I have a queued_as, the value of this field is the value I'll find in some other event in the "queue_id" again.
As it doesn't work to have a single transaction, because the queue_id value changes, I thought to create different transactions and the "join" them, with something like "queued_as=queue_id". So I need to correlate events with a "queue_id" with events that have the same "queued_as" value.

The idea is something like this:
source=aslog NOT noqueue | transaction from, queue_id, queued_as, thread_id, message_id | innerjoin queue_id=queued_as

Thanks for help!!!

Marco

sowings · ‎03-29-2012

If queue_id and queued_as don't occur in the same log line, you could use a field alias to map them to the same name (queue_id), and use transaction on that field.

marcoscala · ‎04-03-2014

Thanks for the hint, but it doesn't apply, because it's the same field in the same position that's used as a queued_as information. It's a sort of inner join problem actually....

Join events with different field names but with same value

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms