Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join two events with a common field

pankajad
Explorer
‎12-19-2017 01:32 PM

I want to join the below two events based on tid. For "Event1", there could be multiple" Event2"

Event1:
20171219.114132 myapp error statusCode=500 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d

Event2:
20171219.114132 Fn=makeRequest HttpStatusCode=401 ElapsedTime=79 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d
20171219.114132 Fn=makeRequest HttpStatusCode=200 ElapsedTime=50 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d

I have tried this so far but it doesn't give all the events - 

index=myindex "myapp error"  |join tid [search  index=myindex Fn=makeRequest |fields tid, HttpStatusCode] |table tid, statusCode, HttpStatusCode
Tags (4)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-19-2017 08:03 PM

Hi @pankajad,

Can you please try search?

index=myindex "myapp error" 
| append 
    [ search index=myindex Fn=makeRequest 
    | fields tid, HttpStatusCode] 
| stats values(statusCode) as statusCode values(HttpStatusCode) as HttpStatusCode by tid

Check my sample search.

| makeresults 
| eval _raw="20171219.114132 myapp error statusCode=500 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d" 
| append 
    [| makeresults 
    | eval _raw="20171219.114132 Fn=makeRequest HttpStatusCode=401 ElapsedTime=79 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d"] 
| append 
    [| makeresults 
    | eval _raw="20171219.114132 Fn=makeRequest HttpStatusCode=200 ElapsedTime=50 tid=14ec038e-ba3d-423d-836a-1c7b8fa3073d"] 
| kv
| stats values(statusCode) as statusCode values(HttpStatusCode) as HttpStatusCode by tid

thanks

0 Karma
Reply

nickhills
Ultra Champion
‎12-19-2017 02:01 PM

would transaction not be of use here?

index=myindex ("myapp error" OR Fn=makeRequest)  |transaction tid startswith="myapp error"|table tid, statusCode, HttpStatusCode
If my comment helps, please give it a thumbs up!
0 Karma
Reply

pankajad
Explorer
‎12-19-2017 04:30 PM

This didn't work. I'm getting all events from "Fn=makeRequest "and "myapp error". It's not doing any join

0 Karma
Reply

nickhills
Ultra Champion
‎12-19-2017 10:49 PM

Transaction won’t join per se, it groups events based on a common field. tid in this case.

I have double checked my spl and I can’t see anything wrong, so am intrigued what it actually outputs for you.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-21-2017 01:46 AM

I made a slight change to the suggestion above, could you try it again?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...