topic Event Correlation in Splunk Search

Event Correlation

ninadmnaik — Mon, 28 Sep 2020 11:57:44 GMT

I have two events:

Event 1:
transactionId=123 field_x=x_value

Event 2
transactionId=123 status=success

How can I correlate these two?
I want to create a timechart for “field_x” when “status=success”

So, basically, the search quey is:
transactionId field_x | timechart count by field_x

But I want to get all “field_x” only when status=success.

So, I guess this is equivalent to SQL IN() construct:
SELECT field_x from table where transactionId IN (SELECT transactionId from table where status=success);

I am trying to do a subsearch like:
source="source1" field_x=* transactionId [search source="source1" AND status=success | fields transactionId] | timechart count by field_x

Doesn't seem to be working.

Re: Event Correlation

lguinn2 — Wed, 20 Jun 2012 00:20:35 GMT

Try this:

yoursearchhere | 
transaction transactionId | 
search status=success | 
timechart count by field_x

I think you were making it too hard! 🙂

Re: Event Correlation

ninadmnaik — Mon, 28 Sep 2020 11:57:47 GMT

Oh yes, that does make sense. But this isn't working either. Splunk isn't finding any matching events.

Here's the updated query as per your suggestion.

source="source1" field_x=* |
transaction transactionId |
search status=success |
timechart count by field_x

Re: Event Correlation

ninadmnaik — Mon, 28 Sep 2020 11:57:50 GMT

No, you are right. Updated my query to:

source="source1" field_x=* OR status=success |
transaction transactionId |
search status=success |
timechart count by field_x

Now it's giving me the chart.

However, one little thing. Along with the four values of "field_x" it's also showing a value "NULL". Wonder why is that.

Will update this when I find out about NULL.

Please let me know if you have an idea.

Thanks a bunch for your answer.

Re: Event Correlation

lguinn2 — Wed, 20 Jun 2012 01:39:27 GMT

I think that you have some transactions that do not have field_x in them. Try this

source="source1" field_x=* OR status=success | transaction transactionId | search status=success AND field_x="*" | timechart count by field_x

Re: Event Correlation

ninadmnaik — Mon, 28 Sep 2020 11:58:08 GMT

No, I take it back. When I said it was working, I missed the following line (bold) in the query:

source="source1" field_x=* OR status=success |
transaction transactionId |
search status=success |
timechart count by field_x

If I add this line "search status=success", I don't get any results. And without checking whether "status=success" I will get all "field_x" values for which "status=failed" as well.

Re: Event Correlation

ninadmnaik — Mon, 28 Sep 2020 11:58:11 GMT

As per your new suggestion, that won't work, because:
search status=success AND field_x="*"

For the above to work, both the fields should be in the same logging event right? But they aren't.
I have two different logging events as:

Event 1:
transactionId=123 field_x=x_value

Event 2
transactionId=123 status=success

Re: Event Correlation

lguinn2 — Wed, 20 Jun 2012 18:52:47 GMT

What do you get when you just do

source="source1" field_x=* OR status=success |
transaction transactionId

Re: Event Correlation

lguinn2 — Wed, 20 Jun 2012 18:52:55 GMT

The transaction consists of a set of events, all with the same transactionId. The search command applies to the entire transaction, not the individual events. So the AND should be okay.

Re: Event Correlation

ninadmnaik — Wed, 20 Jun 2012 19:39:44 GMT

Oh yeah, you're right. That did it. Thanks a bunch !!