topic Re: correlate value using common field in Splunk Search

correlate value using common field

MrGlass — Fri, 22 Mar 2024 22:22:49 GMT

Here is my search in question, the common field is the SessionID

index=eis_lb apm_eis_rdp |fillnull value="-" |search UserID!="-" | rex field=_raw "\/Common\/apm_eis_rdp:ent-eis[:a-zA-Z0-9_.-](?'SessionID'........)" |search company_info="*" |rename company_info as "Agency" | table _time, SessionID, UserID,Full_Name, Agency, HostName, client_ip | sort - _time _time SessionID UserID Full_Name Agency HostName client_ip 2024-03-22 08:25:29 4f89ae57 Redacted Redacted Redacted Redacted -

If I remove the Search UserID I can see the matching session ID and the client_ip is present.

_time SessionID UserID Full_Name Agency HostName client_ip

2024-03-22 14:26:48 4f89ae57 Redacted Redacted Redacted Redacted -
2024-03-22 14:25:52 4f89ae57 - - - - Redacted

How can I create a search like above to show the client_ip maching the SessionID

Re: correlate value using common field

isoutamo — Fri, 22 Mar 2024 22:07:38 GMT

normally you could use e.g. stats to do correlation between events. In your case try e.g.

... | stats first(_time) as _time values(*) as * by SessionID

This will generate one event by each SessionID with contains other fields as multivalue fields or if values was same in all combined events then normal field.

r. Ismo

Re: correlate value using common field

MrGlass — Tue, 26 Mar 2024 13:55:43 GMT

Thank You, this worked, the only thing I wish I could see is just the matched lines and get rid of the blank rows.

Re: correlate value using common field

isoutamo — Tue, 26 Mar 2024 19:05:57 GMT

You should look e.g where an isnull function. With it you could drop unwanted rows away.