Solved: Re: How to cross reference 2 fields (or back refer...

999chris · ‎10-20-2016

Hi,

Here are a few log examples (I've just shown the fields extracted for simplicity):

00:19:07 -
jobId=527A63
vamAssetId=815164

00:37:15 -
jobId=527A63
status=encoding
progress=20

10:08:28 -
jobId=EE7086
vamAssetId=2359740

10:08:37 -
jobId=EE7086
status=starting

...

So I'd like to present the statuses of each vamAssetId in a table - thus:

|vamAssetId|status      |progress
|815164        |encoding|20
|2359740      |starting   |0

Trouble is the "vamAssetId" fields are not referenced in the same events as a "status" or "progress". The vamAssetId is assigned a jobId early on and the jobId is the only common reference between the two.

I have the current search query, but I cant finish off and display this information logically. Could you help please?

index=ateme [search index=ateme vamAssetId=815164 | fields jobId]
| eval progress=if(status="complete",100,if(status="starting",0,progress))
| table jobId status progress

richgalloway · ‎10-20-2016

Try this.

index=ateme | transaction jobId | eval progress=case(status="complete",100, status="starting",0, 1=1, progress) | table vamAssetId jobId status progress

---
If this reply helps you, Karma would be appreciated.

View solution in original post

999chris · ‎10-24-2016

Hi,

Thanks for your try but that still isnt quite there.

Simply put I think I need to add the vamAssetId field and value to each event that matches the specific jobId.

I.e if there is one event with:

jobId=527A63
vamAssetId=815164

I need every event with jobId=527A63 to have vamAssetId=815164 added to it. This seems like the simplest solution but I've run out of brain power to do it.

sundareshr · ‎10-20-2016

Try this

index=ateme | eventstats values(vamAssetId) as vamAssetId by jobid | eval progress=if(status="complete",100,if(status="starting",0,progress)) | stats latest(status) as status latest(progress) as progress by vamAssetId | fillnull

*OR*

index=ateme | eventstats values(vamAssetId) as vamAssetId by jobid | eval progress=if(status="complete",100,if(status="starting",0,progress)) | where isnotnull(status) OR isnotnull(progress) | table vamAssetId status progres

999chris · ‎10-20-2016

Hi,

Thanks for your try but that still isnt quite there.

Simply put I think I need to add the vamAssetId field and value to each event that matches the specific jobId.

I.e if there is one event with:

jobId=527A63
vamAssetId=815164

I need every event with jobId=527A63 to have vamAssetId=815164 added to it. This seems like the simplest solution but I've run out of brain power to do it.

richgalloway · ‎10-20-2016

Try this.

index=ateme | transaction jobId | eval progress=case(status="complete",100, status="starting",0, 1=1, progress) | table vamAssetId jobId status progress

---
If this reply helps you, Karma would be appreciated.

999chris · ‎10-20-2016

Hi Rich,

Thanks for your reply. But this is not matching any events.

999chris · ‎10-24-2016

index=ateme [search index=ateme vamAssetId=$asset_id$ | fields jobId] | transaction jobId maxspan=3d | stats first(status) as Status max(progress) as Progress by filename | eval Progress=case(Status="complete",100, status="starting",0, 1=1, Progress) | rename filename as Filename

Was the modified version. This worked perfectly. Cheers

How to cross reference 2 fields (or back reference)...

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk