Re: Combining multiple events into one and show in...

mlprasad79 · ‎02-11-2021

Hi Team,

We have a service in Splunk which calls 3 different APIs and do some business logic and responds back a Code(P, W, F). I have my events some what looks like below : interaction-id is the common field.

event1: myservice transaction begins

event2: myservice calls first-api

event3: myservice call to first-api is successful

event4: myservice calls second-api

event5: myservice calls to second-api is success

event6: myservice calls third-api

event7: myservice calls to third-api is success

event8: myservice is respond with result code 'W'

Now I need a table with these columns:

_time	interaction-id	is first-api successful ?	is second-api successful ?	is third-api successful?	FInal Code
sometime	someinteractionId	Yes	yes	yes	W
"	"	No	yes	yes	X

Please help me with the query.

isoutamo · ‎02-11-2021

How about

...
| stats first(_time) as _time values(*) as * by interaction-id

r. Ismo

mlprasad79 · ‎02-12-2021

Thanks for the reply Soutamo.

I ran this query but it is showing every other event along with the main events I mentioned in my post.
The output table is loaded with all default fields along with manually extracted fields; but I need only the fields mentioned in the table.

Note: In my post, I mentioned only the needed events.

isoutamo · ‎02-12-2021

Then try to replace values(*) as * by each of your interested fields like values(field1) as field1 values(field2) as ....

Combining multiple events into one and show in a table

table

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases