Splunk Search

How to chart the results of two joined searches?

jdhux
New Member

I have two types of log events:

FIELD INITIAL VALUE
Message: 
{
        "FieldName":"Field_A",
        "OrganizationID":1234,
        "FooDocumentId":01,
        "WasAutoPopulated":true,
        "FooAutopopulateInitialValueId":567,
}

FIELD UPDATE
Message: 
{
        "FieldName":"Field_A",
        "OrganizationID":1234,
        "FooDocumentId":01,
        "FooValueChangeId":890,
} 

that I am trying to chart out using two joined searches.
FooDocumentId is a primary key, FieldName can have 1 of 10 values.

I want to count the number of times when a field had an initial value event AND an update event.

I have two separate queries to get these counts (that I think work):

FIND INITIAL FIELD VALUE EVENTS
    WasAutoPopulated=true 
    | chart dc(FooAutopopulateInitialValueId) by OrganizationID, FieldName

FIND FIELD UPDATES
    FooValueChangeId 
    | dedup FooValueChangeID 
    | chart COUNT(eval(FooValueChangeID)) by OrganizationID, FieldName

But I've been struggling to get the join right. I've done:

FooValueChangeId 
| dedup FooValueChangeID 
| join type=left FooDocumentId, FooFieldName, FooOrgID
  [search FooAutopopulateInitialValueId WasAutoPopulated=true]
| chart COUNT(eval(FieldName)) by OrganizationID, FieldName

but the DocumentIds for update events don't line up with the DocumentIds for initial value events

I'm looking for output like:

OrganizationID  Field_A Field_B Field_C
1234            2       1       0
0978            4       3       1
etc...

where the numbers under each fieldname are the counts of when that field for that organization had both an initial field value event and a field update event.

Am I miles off base?

Thanks

0 Karma
1 Solution

Masa
Splunk Employee
Splunk Employee

How about this;

 FooValueChangeId OR ( FooAutopopulateInitialValueId WasAutoPopulated=true )
 | chart count over OrganizationID by FieldName

View solution in original post

0 Karma

Masa
Splunk Employee
Splunk Employee

How about this;

 FooValueChangeId OR ( FooAutopopulateInitialValueId WasAutoPopulated=true )
 | chart count over OrganizationID by FieldName
0 Karma

jdhux
New Member

Saw your reply. There are some logging issues with my data and I'm re-evaluating what I'm using to gauge "success" of any query at this point.

If I'm reading your query right, though, this would get me all changes as well as initial values - then essentially dedup when you combine them in a chart?

Not sure I have that right.

0 Karma

Masa
Splunk Employee
Splunk Employee

Yes, you're correct.

The chart will do;
For Each OrganizationID, count of events per FieldsName.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...