Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Joining 2 sourcetypes ( 2 types of events ) based on time range

tragiccode
New Member
‎11-07-2017 03:51 AM

We have 2 sourcetypes that we would like to somehow do a join based on if sourcetype2 has a ArrivalDateTime that falls within any of SourceType1 StartDateTime and EndDateTime

sourcetype2
contains an ArrivalDateTime

Title="Update for Adobe Flash Player for Windows Server 2016 for x64-based Systems (KB4051613)"
LegacyName="KB4051613-WinNextServer-RTM-RS1RTM-X64-TSL"
MsrcSeverity="Unspecified"
KnowledgebaseArticles="4051613"
CreationDate="11/1/2017 5:00:00 PM"
ArrivalDate="11/7/2017 12:11:29 AM"
UpdateType="Software"
PublicationState="Published"

sourcetype1
Contains a StartDateTime and EndDateTime

Id="a775be6b-36ea-41a3-ba4f-3b0ae7f63e82"
StartTime="11/6/2017 10:37:34 PM"
EndTime="11/6/2017 11:05:21 PM"
Result="Succeeded"

I would like the end output of the combined event to look like so

StartTime="11/6/2017 10:37:34 PM"
EndTime="11/6/2017 11:05:21 PM"
Result="Succeeded"
Title="Update for Adobe Flash Player for Windows Server 2016 for x64-based Systems (KB4051613)"
LegacyName="KB4051613-WinNextServer-RTM-RS1RTM-X64-TSL"
MsrcSeverity="Unspecified"
KnowledgebaseArticles="4051613"
CreationDate="11/1/2017 5:00:00 PM"
ArrivalDate="11/7/2017 12:11:29 AM"
UpdateType="Software"
PublicationState="Published"
Tags (2)
0 Karma
Reply

DalJeanis
Legend
‎11-07-2017 01:11 PM

Try something like this...

 (sourcetype=type1 ) OR (sourcetype=type2)
 | eval time1=strptime(StartTime,"%m/%d/%Y %I:%M:%S %p")
 | eval time2=strptime(EndTime,"%m/%d/%Y %I:%M:%S %p")
 | eval time3=strptime(ArrivalDate,"%m/%d/%Y %I:%M:%S %p")   
 | eval time0=coalesce(time2,time3)
 | sort 0 - time0
 | streamstats current=f last(time1) as lasttime1 last(StartTime) as lastStart last(time2) as lasttime2 last(EndTime) as lastEnd last(Result) as lastResult
 | search sourcetype="type2"
 | eval StartTime=case(isnull(lasttime1) OR isnull(lastStart),"((NO MATCH))", time3<lasttime1,"((NO MATCH))", true(),lastStart)
 | eval EndTime=case(isnull(lasttime1) OR isnull(lastEnd),"((NO MATCH))", time3<lasttime1,"((NO MATCH))", true(),lastEnd)
 | eval Result=case(isnull(lasttime1) OR isnull(lastResult),"((NO MATCH))", time3<lasttime1,"((NO MATCH))", true(), lastResult)
 | fields - time* last*

This is based on the assumption that your wording was correct, rather than your example, which falls outside the range for that event.

 CreationDate="11/1/2017 5:00:00 PM"
 ArrivalDate="11/7/2017 12:11:29 AM"
 StartTime="11/6/2017 10:37:34 PM"
 EndTime="11/6/2017 11:05:21 PM"

The above example, to match, would require the StartTime and Endtime to be within the CreationDate and ArrivalDate. The below example is the one that this code would work for.

 CreationDate="11/1/2017 5:00:00 PM"
 ArrivalDate="11/6/2017 11:01:29 PM"
 StartTime="11/6/2017 10:37:34 PM"
 EndTime="11/6/2017 11:05:21 PM"
Reply

nileena
Path Finder
‎11-07-2017 12:46 PM

Assuming ArrivalDate is the timestamp for sourcetype2 and StartTime is timestamp for sourcetype1, you could try writing a search like this:

sourcetype=sourcetype1 OR sourcetype=sourcetype2 | eval EndTimeEpoch=strptime(EndTime, "%m/%d/%Y %H:%M:%S %p") | streamstats current=f last(EndTimeEpoch) AS EndTimeEpoch last(Result) AS Result last(Id) AS Id by _time | where _time>EndTimeEpoch

Streamstats might help you correlate the ArrivalDate field with StartTime and EndTime.

Reply

DalJeanis
Legend
‎11-07-2017 01:16 PM

Pretty good work, @nileena! Here's one additional thing to deal with: you generally need to set an explicit sort order before your streamstats command, because (especially in this case) you can't be sure what the _time might be for these events. Some kinds of events, it would be the first time field on the event, some the last.

0 Karma
Reply

nileena
Path Finder
‎11-07-2017 08:54 PM

Oh ya, that makes sense, thanks! 🙂

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-07-2017 03:57 AM

Hi

Is that any common field (KEY) in both sourcetype (sourcetype1 & sourcetype2)?
I found Id in sourcetype1. Is that any field which can be used to relate event of courcetype1 to event of sourcetyp2?

Thanks

0 Karma
Reply

tragiccode
New Member
‎11-07-2017 04:20 AM

Nope, All i can join on "so-to-speak" is if the datetime of 1 sourcetype falls inside the range of the other sourcetype

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-07-2017 07:47 AM

Ok. It is difficult to design search. Well, I have used _time aa related fields. So can you please try below search? It might possible there are multi-valued fields display at single time stamp.

sourcetype=sourcetype1 | fileds _time Id StartTime EndTime Result | append [ search 
sourcetype=sourcetype2 | fileds _time Title LegacyName MsrcSeverity KnowledgebaseArticles CreationDate ArrivalDate UpdateType PublicationState ] | stats values(Id) as Id values(StartTime) as StartTime values(EndTime) as EndTime values(Result) as Result values(Title) as Title values(LegacyName) as LegacyName values(MsrcSeverity) as MsrcSeverity values(KnowledgebaseArticles) as KnowledgebaseArticles values(CreationDate) as CreationDate values(ArrivalDate) as ArrivalDate values(UpdateType) as UpdateType values(PublicationState) as PublicationState by _time

Happy Splunking

0 Karma
Reply

somesoni2
Revered Legend
‎11-07-2017 07:39 AM

How many events are there in sourcetype1?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...