Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you search to return a table of only fields that change between events?

smahone11
Engager
‎09-17-2018 10:37 AM

Lets say I have a query that returns all of the updates for a given bug ID. This returns a result set for the specified ID with timestamps for when each modification took place on the bug

index=bugs id=123

There are one or more fields that can change during each update(event)

I want a table that returns: _time, field_modified, modified_value(diff from previous event)

In the case of multiple fields changing in a single update, the output could be similar to using the stats(values) or list command.

Tags (3)
0 Karma
Reply

DalJeanis
Legend
‎09-17-2018 03:25 PM

Something like this aircode should work. Test first on a very small amount of data, for example, a few records each with two different keys.

  your search that gets the various records

 | rename COMMENT as "Sort into key and time order" 
 | sort 0 YourKeyFields  _time

 | rename COMMENT as "Rename the fields so they can be identified automatically" 
 | rename * as *_New

 | rename COMMENT as "Put the keys back where they are supposed to be" 
 | rename YourKeyFields_New as  YourKeyFIelds

 | rename COMMENT as "Copy the fields forward by key" 
 | streamstats current=f last(*_New) as *_Old by YourKeyFields

 | rename COMMENT as "Compare the fields and delete all that have not changed or are not present" 
 | foreach *_New [ 
      eval <<MATCHSTR>>_Changed = case( <<FIELD>> == <<MATCHSTR>_Old,null(),  isnull( <<MATCHSTR>>_Old ), null(),  true() "Yep")
    | eval <<MATCHSTR>>_Old = case( <<MATCHSTR>>_Changed == "Yep", <<MATCHSTR>>_Old )
    | eval <<MATCHSTR>>_New = case( <<MATCHSTR>>_Changed == "Yep", <<MATCHSTR>>_New )
    ]

After you've verified that the above does work, you can optionally add a line that deletes *_Changed and/or a line that renames *_New back to *.

Updated to correct <<MATCH>> to <<MATCHSTR>>.

0 Karma
Reply

smahone11
Engager
‎09-17-2018 04:18 PM

Thanks, however I am not sure how the following is supposed to work

| rename COMMENT as "Put the keys back where they are supposed to be"
| rename YourKeyFIelds_New as YourKeyFIelds

| rename COMMENT as "Copy the fields forward by key"
| streamstats current=f last(*_New) as *_Old by YourKeyFIelds

When I rename my fields back, the streamstats has nothing to compare as there now are now no *New fields in the data.

0 Karma
Reply

DalJeanis
Legend
‎09-17-2018 05:39 PM

@smahone11 -

Here's a run-anywhere sample that does what the code above was intended to do.

As well, we've modified the code posted above to fix some minor syntax errors.

index=_audit action=add | head 10
  | rename COMMENT as "Sort into key and time order" 
  | sort 0 action  _time

  | table _time action date_s*

  | rename COMMENT as "Rename the fields so they can be identified automatically" 
  | rename * as *_New
  | rename COMMENT as "Put the keys back where they are supposed to be" 
  | rename action_New as  action
  | rename COMMENT as "Copy the fields forward by key" 
  | streamstats current=f last(*_New) as *_Old by action
  | rename COMMENT as "Compare the fields and delete all that have not changed or are not present" 
    | foreach *_New [ 
      eval <<MATCHSTR>>_Changed = case( <<MATCHSTR>>_New == <<MATCHSTR>>_Old, null(),  isnull( <<MATCHSTR>>_Old ), null(),   true(),"yep")
    |  eval <<MATCHSTR>>_New = case( <<MATCHSTR>>_Changed == "yep", <<MATCHSTR>>_New)
    |  eval <<MATCHSTR>>_Old = case( <<MATCHSTR>>_Changed == "yep", <<MATCHSTR>>_Old)
     ]
0 Karma
Reply

somesoni2
Revered Legend
‎09-17-2018 01:13 PM

Can we have some sample events which shows how the changed values are logged?

0 Karma
Reply

smahone11
Engager
‎09-17-2018 02:41 PM

Well basically, its as easy as the following

Taking the following event fields returned

timestamp, id, priority, assigned, team, status

(example return)

9/17/2018 8:57:00, 524441, 1, triage, web, new
9/17/2018 9:57:00, 524441, 1, tim, service, open
9/17/2018 10:57:00, 524441, 2, tim, service, open
9/17/2018 11:57:00, 524441, 2, tim, service, in_progress
9/17/2018 12:57:00, 524441, 2, joe, service, closed

I would like to display as

_time, modified_field, new_value
9/17/2018 9:57:00, id, 524441
priority, 1
assigned, triage
team, web
status, new
9/17/2018 9:57:00, assigned, tim
team, service
status, open
9/17/2018 10:57:00......etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...