Splunk Search

How to search all transactions existing in one payload and not present in another?

maxiva01
Engager

Hi,

Task: 2 different log files (source types). I want to find all transactions from first payload and check which of them are missed in second one. Then calculate amount and percentage of transaction that are exist in both log files
There is a common field in both log files, lest say fieldA

The solution I came up so far looks like below one

index=someIndex sourcetype=sourcetype1 SomeSearchCriteria
| join fieldA type=outer [search index=fsomeIndex sourcetype=sourcetype2 SomeSearchCriteria]
| fillnull value="NOVALUE" fieldA
| eval ResponseStatus=case(fieldA ="NOVALUE","noResponse", fieldA!="NOVALUE", "validResponse")
| bucket span=15m _time | stats count as Total count(fieldA) as NumberOfTransactions by ResponseStatus, _time
| eventstats sum(Total) as TOTAL_TRANSACTIONS
| eval PersentOfSuccessTransactions = round(100*NumberOfTransactions / TOTAL_TRANSACTIONS,2) 
| table PersentOfSuccessTransactions  NumberOfTransactions ResponseStatus _time

But in the response I see only "validResponse".
Is this something wrong with the query?

1 Solution

maxiva01
Engager

Finally I found out a solution that works great

 index=someIndex sourcetype=sourcetype1 SomeSearchCriteria
 | stats count as Total by fieldA
 | join type=left fieldA [search index=fsomeIndex sourcetype=sourcetype2 SomeSearchCriteria | stats count as Common by fieldA] 
| stats count(Total) as TransactionSent count(Common) as TransactionRecieved
| eval PersentDeliveredTransactions = round(100*TransactionRecieved / TransactionSent,2)
| table PersentDeliveredTransactions TransactionRecieved  TransactionSent

View solution in original post

0 Karma

maxiva01
Engager

Finally I found out a solution that works great

 index=someIndex sourcetype=sourcetype1 SomeSearchCriteria
 | stats count as Total by fieldA
 | join type=left fieldA [search index=fsomeIndex sourcetype=sourcetype2 SomeSearchCriteria | stats count as Common by fieldA] 
| stats count(Total) as TransactionSent count(Common) as TransactionRecieved
| eval PersentDeliveredTransactions = round(100*TransactionRecieved / TransactionSent,2)
| table PersentDeliveredTransactions TransactionRecieved  TransactionSent
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...