Is it possible to dynamically calculate the RHS of a search comparison?
I'm looking to use Splunk to do latency measurements across various segments of a processing pipeline, e.g.:
A -> B -> C
I have a log that looks like:
<conversationId> <timestamp> <segment (e.g. A, B or C)>
Where conversationId is used to correlate messages related to a single 'conversation' as they flow through the pipeline.
I can calculate end-to-end latency like so:
sourcetype="source" segment="C" |
eval endTime=timestamp |
fields conversationId, endTime |
join type=outer conversationId [
search sourcetype="source" segment="A" |
eval startTime=timestamp |
fields conversationId, startTime
] |
eval latency=(endTime-startTime) |
fields conversationId, latency
which works, but I need to explicitly identify the start and end segments. I'd like to be able to generalize this so that I can calc latency across each of the subsegments without having to name each of them (this becomes a pain as the number of segments increases or changes).
My idea was to include info about the previous segment in the log messages:
<conversationId> <timestamp> <segment (e.g. A, B or C)> <previousSegment)
And then have a search like:
sourcetype="source" |
eval prev=previousSegment |
eval endTime=timestamp |
fields conversationId, previousSegment, endTime |
join type=outer conversationId [
search sourcetype="source" segment=***prev*** |
eval startTime=timestamp |
fields conversationId, startTime
] |
eval latency=(endTime-startTime) |
fields conversationId, latency
I can't get this to work however. Is there some way to be able to use a calculated field in the RHS of a search comparison?
Thanks,
Edwin
... View more