topic Using three events without common fields to get list of IDs in Splunk Search

Using three events without common fields to get list of IDs

RyanJWilliams — Tue, 22 Sep 2020 17:27:36 GMT

Hi all,

I'm trying to figure out how to get my hands on a list of IDs which are determined by referring to three events. I have to not use things such as join, transaction, or sub-search due to the event limits involved.

Specifically, I have:

Event A which contains a req_id
Event B which contains the same req_id and a correlationId
Event C which does not contain a req_id but contains the correlationId from Event B and also a personId that I need

The reason I need to use Event A rather than just look at Event B and Event C is because there are numerous occurrences of Event B that are unrelated, so I first have to ensure they can be associated with an Event A.

TLDR! I need the list of personId values that come from Event C, but first I need to make sure they are associated with Event A and Event B — the challenge being there is no one value contained by all three.

Re: Using three events without common fields to get list of IDs

RyanJWilliams — Tue, 22 Sep 2020 17:30:02 GMT

If it helps, here is roughly what I did to achieve this using transaction, but because I need to run it over months this very quickly exhausts Splunk's event limits:

Re: Using three events without common fields to get list of IDs

ITWhisperer — Tue, 22 Sep 2020 22:42:14 GMT

Try something like this

-- your search with all types of events | eventstats values(correlationId) as correlationId by req_id | eventstats values(personId) as personId by correlationId

Event A should now have all three ids