Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

join two fields from same source

gudavasr
Path Finder
‎05-19-2015 04:06 PM

I have log file like this:

 deal - 123456 - notification receives from web  -- Time 10:46:42
 deal - 123456 - publishing xml    -- Time 10:46:43
 deal - 789012 - notification receives from web  -- Time 10:46:45
 deal - 123456 - SAVED ack  -- Time 10:46:46
 deal - 123456 - publishing xml  -- Time 10:46:49
 deal - 789012 - SAVED ack  -- Time 10:46:52
 deal - 123456 - SAVED ack  -- Time 10:46:58

I want to create field called deal id (for ex: 123456) and grab first line and create a field called dealcreatedtime (Time 10:46:42)
Then, I want to join or do a transaction with this (4th line) line
deal - 123456 - SAVED ack -- Time 10:46:46. to create a field called Dealsavedtime.

So, I want to check how long it took to grab the same deal.

Can you please help to get the logic? I tried join and subsearch, but subsearch is grabbing both lines like below and affecting results. I tried to use tail in subsearch, but did not work.

deal - 123456 - SAVED ack -- Time 10:46:46
deal - 123456 - SAVED ack -- Time 10:46:58

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-19-2015 04:29 PM

Assuming the event always ends with "SAVED ACK" you can use transaction and look at the duration. You need to extract that deal number as a field..

... | rex fields=_raw "deal - (?<deal_id>\d+)\s" | transaction deal_id endswith="SAVED ack" | table deal_id duration

View solution in original post

Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-19-2015 04:29 PM

Assuming the event always ends with "SAVED ACK" you can use transaction and look at the duration. You need to extract that deal number as a field..

... | rex fields=_raw "deal - (?<deal_id>\d+)\s" | transaction deal_id endswith="SAVED ack" | table deal_id duration
Reply
Solved! Jump to solution

Arun_N_007
Communicator
‎05-19-2015 10:20 PM

Hi,

If you want the first acknowledgement (10:46:46) to be considered ignoring second (10:46:58). In sub search join you can filter using SAVED ACK and then do

..filter using "SAVED ACK"|sort by Time|convert dur2sec(Time) as TimeSec|eventstats min(TimeSec) as minTimeSec by dealId|where TimeSec==minTimeSec

above subsearch will return all the first SAVED ACKs.

You need to handle Day jump scenario by adding or negating 86400 to Time.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...