topic Re: How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another? in Splunk Search

How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

macadminrohit — Wed, 07 Feb 2018 21:19:03 GMT

Hi Experts,

I have got a requirement where I have a few events where one of the fields contains some keyword say "Unhandled exception" which is being followed by subsequent events with different keywords say "Authorisation Started".

So basically I am trying to analyze different events where the Field is the same but different keywords and we are trying to check for that relationship which will help us to find the count of events where one event led to another.

let me know if that is possible and through which command.

Re: How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

elliotproebstel — Wed, 07 Feb 2018 21:27:31 GMT

This is definitely possible, and it will be easiest for us to help if you can provide some sample events (with sensitive data redacted, if necessary). When you post them, use the 101010 code button to wrap your events and make them more easily readable.

Re: How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

DUThibault — Wed, 07 Feb 2018 21:44:17 GMT

Could you describe this in more detail? A sample set of events would do wonders. Also, do you want to do this at index time or at search time?

Re: How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

macadminrohit — Wed, 07 Feb 2018 22:03:59 GMT

Here you go, below is the

{"bdy":{"msg":"AuthenticationPage loaded.","metricName":"PageLoad","metricValue":"AuthenticationPage","measuredTime":"00:00:00.2587706"},"hdr":{"level":"Information","timestamp":"2018-02-07T21:59:12.3973812Z","lineNum":0,"loc":"ABC","ABCId":"0170","ip":"xx.xx.xx.xx","hostName":"xx.xx","macaddress":"mac-d","eventid":0,"appVersion":"18","appName":"Logon","deviceModel":"","osVersion":"1944","firmwareVersion":"17222.0"},"ver":"0.1"}

In the first event we have to catch for the keyword "AuthenticationPage Loaded" and check for any events in past 2-3 minutes if the below event(or any event ) happened which has error "Unhandled Exception" . And if that is the case we need the count based on the location.

{"bdy":{"msg":"Unhandled Exception","ex":{"Msg":"Unable to Claim . P.Scanner.GetDefaultAsync() returned null. This generally means you need to add DeviceCapability for Service in Package.appxmanifest file.","StackTrace":" at Abcde.Core.device.WinRT.Scanner.d__32.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at

Re: How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

macadminrohit — Wed, 07 Feb 2018 22:04:49 GMT

{"bdy":{"msg":"AuthenticationPage loaded.","metricName":"PageLoad","metricValue":"AuthenticationPage","measuredTime":"00:00:00.2587706"},"hdr":{"level":"Information","timestamp":"2018-02-07T21:59:12.3973812Z","lineNum":0,"loc":"ABC","ABCId":"0170","ip":"xx.xx.xx.xx","hostName":"xx.xx","macaddress":"mac-d","eventid":0,"appVersion":"18","appName":"Logon","deviceModel":"","osVersion":"1944","firmwareVersion":"17222.0"},"ver":"0.1"}

{"bdy":{"msg":"Unhandled Exception","ex":{"Msg":"Unable to Claim . P.Scanner.GetDefaultAsync() returned null. This generally means you need to add DeviceCapability for Service in Package.appxmanifest file.","StackTrace":" at Abcde.Core.device.WinRT.Scanner.d__32.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at

I want to achieve this in a dashboard, so it will be at the search time.

Re: How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

macadminrohit — Wed, 07 Feb 2018 22:07:26 GMT

So basically these are JSON events which are automatically parsed by splunk into fields. And i need to search for the strings in bdy.msg field and find the number of such occurrences by another field (bdy.mac)

Re: How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

macadminrohit — Wed, 07 Feb 2018 22:30:02 GMT

And good thing is that there is a field in these events which is macaddress and we want to capture these events for the same macaddress. So i am thinking we could do this using transaction command.