topic Re: How to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER? in Splunk Search

How to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER?

dmuley — Thu, 30 Jun 2022 15:53:33 GMT

2022-06-12 21:51:42.274 threadId=L4C9D6WIYK2K eventType="RESPONSE" data="<TestRQ>sometestdata</TestRQ>"
2022-06-12 21:51:41.274 threadId=L4C9D6WIYK2K eventType="REQUEST" data="<TestRQ>sometestdata</TestRQ>"
2022-06-12 21:51:40.274 threadId=L4C9D6WIYK2K eventType="HEADER" data="clientIP=101.121.22.11"

Hello Team,

I have the series of events as shown above and if you see one of the event having eventType="HEADER" I have clientIP in data field .

I need to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER. Common UNIQUEID between all 3 events is threadID , How can I achieve this in splunk query ?

new to splunk i am just good in basic searches.

index= test eventType="HEADER" clientIP=101.121.22.11------>> and pass on the threadID to fetch the eventType="REQUEST" eventType="RESPONSE"

@ITWhisperer

Re: How to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER?

VatsalJagani — Thu, 30 Jun 2022 16:42:47 GMT

@dmuley - You can use a search like this:

<Your query to fetch all the events> (index=test) | eval {eventType}=data | stats values(Header) as HEADER, values(REQUEST) as REQUEST, values(RESPONSE) as RESPONSE by threadId | search HEADER="*101.121.22.11*"

(I'm assuming that threatId is what is unique between these 3 events.)

I hope this helps!!!

Re: How to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER?

dmuley — Thu, 30 Jun 2022 18:01:37 GMT

@VatsalJagani thanks you it works till stats but search command (lastline) is not giving any output unfortunately even though data is present.

Re: How to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER?

richgalloway — Thu, 30 Jun 2022 18:14:03 GMT

Sub queries (called "subsearch") are supported in Splunk and are specified by putting the SPL inside square brackets. The subsearch runs first and its results are then appended to the text of the main search.

index=test eventType IN ("REQUEST" "RESPONSE") [ index=test eventType="HEADER" clientIP=101.121.22.11 | fields threadId | format ]

The fields command makes sure only the needed field is returned while format puts the results into (threadId=foo OR threadId=bar) form.

Re: How to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER?

PickleRick — Thu, 30 Jun 2022 18:15:39 GMT

The most obvious thing would be to use transaction to group the events by threadId.

But that would mean "squishing" togethet the eventType and data values so you'd have to do some clever joining/separating fields. Feasible but not very pretty.

You could do the same but firstly rename fields conditionally so that you end up with properly uniquely named fields per threadId. Then you could either do the transaction command or stats values (stats is usually a better approach) by threadId.

You can also use xyseries to "unpack" the separate fields into a table.