Solved: Re: How can I combine the events to bring it back ...

Sfry1981 · ‎06-16-2018

I have a search like this where it brings back a history of an event based on the guid. The last event has the information about the error but the first event has the information about the ID of the user under a_tid. I have mapped out the searches below for info:

index=nameofindex Microservice "Instance errored"

This brings back the below event

a_time="2018-06-15 21:26:49,836", a_tid="(null)", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored"

Now if I search with the guid ID as per the below:

index=nameofindex a_rid="71111111-3be2-46ea-a91e-f635b785a750"

I get the below events:

a_time="2018-06-15 21:26:49,836", a_tid="(null)", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored"

a_time="2018-06-15 21:26:49,671", a_tid="10132", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_tid="00001" a_msg="Registering instance"

What I want to do is perform the first search but I want to pull through a list of the a_tid that has an ID like the above which shows 'a_tid="00001" '

Ideally I would like the event to show as the below:

a_time="2018-06-15 21:26:49,836", a_rid="71111111-3be2-46ea-a91e-f635b785a750",  a_msg="Instance errored", a_tid="00001"

So the link is there on the event history but how can I combine the events to bring it back as 1 event or even for it to show just a list of a_tid?

Ayn · ‎06-17-2018

I would write a subsearch for retrieving all a_rid values for events with the "Instance errored" message, then either run transaction or stats for getting the desired results. I noticed you say you're searching for "Microservice" but the example event you show doesn't actually have that string in it - maybe you meant sourcetype=Microservice or something? I'm assuming this in my query below.

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | transaction a_rid | search a_tid=00001

...or similarly using stats, which is cheaper from a performance perspective:

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | stats values(a_tid) as a_tid by a_rid | search a_tid=00001

View solution in original post

Ayn · ‎06-17-2018

I would write a subsearch for retrieving all a_rid values for events with the "Instance errored" message, then either run transaction or stats for getting the desired results. I noticed you say you're searching for "Microservice" but the example event you show doesn't actually have that string in it - maybe you meant sourcetype=Microservice or something? I'm assuming this in my query below.

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | transaction a_rid | search a_tid=00001

...or similarly using stats, which is cheaper from a performance perspective:

index=nameofindex [search index=nameofindex sourcetype=Microservice "Instance errored" | fields a_rid] | stats values(a_tid) as a_tid by a_rid | search a_tid=00001

Sfry1981 · ‎06-17-2018

Thanks Ayn, Thats done the trick. This now gives me the next step to connect more dots as it was bugging me 🙂

Also like you say the transaction was too costly so went with the stats which was alot better

Ayn · ‎06-17-2018

Cool, there's also eventstats that does the same as stats but keeps all data from the original events, if that helps.

How can I combine the events to bring it back as 1 event or even for it to show just a list of fields?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...