https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392581#M171033 <P>Most welcome ! Please upvote and accept the answer if it was helpful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 28 May 2019 11:16:34 GMT DavidHourani 2019-05-28T11:16:34Z https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392574#M171026 <P>I have a ticket dump with following fields. <BR /> Transaction ID<BR /> Transaction Type<BR /> Description<BR /> Priority<BR /> urgency<BR /> Created On<BR /><BR /> Created By<BR /> Actual Closed<BR /> Resolution code<BR /> SR Type<BR /> App ID</P> <P>My need to correlate among 2 fields. Please do provide few correlation search commands(SPL) with above fields. Also need to convert the search into dashboards. </P> Tue, 28 May 2019 10:10:04 GMT https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392574#M171026 asm_coe 2019-05-28T10:10:04Z https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392575#M171027 <P>You can do co-relation in multiple ways</P> <OL> <LI>If each event contains all the fields =&gt; <CODE>index=yourIndex sourcetype=yourSourceType Priority&gt;2 Transaction_ID="12345"</CODE></LI> <LI>If you want to club multiple events, then do <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Transaction">transaction</A> command</LI> </OL> <P>Please do read about converting searches to Dashboard<BR /> 1. Build basic dashboard =&gt; <A href="http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEN4">http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEN4</A><BR /> 2. <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Createnewdashboard">https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Createnewdashboard</A></P> Tue, 28 May 2019 10:24:02 GMT https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392575#M171027 koshyk 2019-05-28T10:24:02Z https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392576#M171028 <P>Hi @asm_coe,</P> <P>Correlation takes place usually between multiple sources with similar fields. I think you're looking for building transactions. For that you can use the <CODE>transaction</CODE> command.</P> <P>Your SPL would look like this :</P> <PRE><CODE>index= yourIndex sourcetype=yourSourcetype | transaction Transaction_ID App_ID </CODE></PRE> <P>This will combine all fields with similar transaction ID and APP ID together.</P> <P>Official documentation here for the latest version:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction</A></P> <P>Let me know if that helps.</P> <P>Cheers,<BR /> David</P> Tue, 28 May 2019 10:27:22 GMT https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392576#M171028 DavidHourani 2019-05-28T10:27:22Z https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392577#M171029 <P>Thanks David for the quick help, Also please how can I convert this search into a dashboard. like chart or pie chart.</P> Tue, 28 May 2019 10:59:35 GMT https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392577#M171029 asm_coe 2019-05-28T10:59:35Z https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392578#M171030 <P>Thanks Koshyk, Can you please suggest few correlation commands.</P> Tue, 28 May 2019 11:00:50 GMT https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392578#M171030 asm_coe 2019-05-28T11:00:50Z https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392579#M171031 <P>Ah, that's the easy part ^^ After running the search right next to the search button there is a "save as" button. Click that, select <STRONG>dashboard panel</STRONG> and then select either to make a new dashboard or an existing one.<BR /> If you need some documentation about that let me know !</P> Tue, 28 May 2019 11:01:59 GMT https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392579#M171031 DavidHourani 2019-05-28T11:01:59Z https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392580#M171032 <P>Thanks David for your help. Really appreciated.</P> Tue, 28 May 2019 11:11:40 GMT https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392580#M171032 asm_coe 2019-05-28T11:11:40Z https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392581#M171033 <P>Most welcome ! Please upvote and accept the answer if it was helpful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 28 May 2019 11:16:34 GMT https://community.splunk.com/t5/Splunk-Search/Can-someone-suggest-few-ways-of-correlation-of-two-or-more/m-p/392581#M171033 DavidHourani 2019-05-28T11:16:34Z