topic Re: Find a specific kind of event before event result in Splunk Search

Find a specific kind of event before event result

CMSchelin — Mon, 30 Apr 2018 21:04:15 GMT

I'm searching in our IIS logs. I'm looking for a web POST action. The problem is that this POST action happens after one gets to the object page, which is indicated with a URL parameter. So like, example data:

_time                x_uid  cs_method cs_Referer                cs_uri_stem               cs_uri_query
2018-04-10 12:01:00  52634  POST      http://ref.url/obj/p.htm  http://ref.url/obj/p.htm
2018-04-10 12:00:30  52634  GET       http://ref.url/obj        http://ref.url/obj/p.htm
2018-04-10 12:00:00  52634  GET       http://ref.url            http://ref.url/obj        ?id=123

The criteria I need to find is all times when someone POSTs on that specific page. What I want to also get is what ID was posted against (123, in the above example).

Is that possible? I'm trying to read up on transactions and maps, but I'm not getting it.

Re: Find a specific kind of event before event result

somesoni2 — Tue, 29 Sep 2020 19:19:30 GMT

If x_uid is uniq, you could use stats to get id value from event with cs_method GET.

Re: Find a specific kind of event before event result

xpac — Mon, 30 Apr 2018 22:26:48 GMT

You could try it like this:

index=whatever your-search-terms
| transaction 52634 startswith=eval(isnotnull(cs_uri_query)) endswith=eval(like(cs_method, "POST"))

You might need to fine tune the transaction, find more details here: transaction docs

Re: Find a specific kind of event before event result

woodcock — Tue, 01 May 2018 15:41:28 GMT

Assuming x_uid can be used as a SessionID, like this:

Your Existing Search Here
| eventstats values(cs_uri_query) AS cs_uri_query BY x_uid
| search cs_method="POST"