How to tie multiple events together (transaction, join, etc.)

SplunkUser001 — Mon, 21 Oct 2024 15:21:29 GMT

Hi,

I am trying to tie multiple events describing single transaction together.
This is my test example:

Event
	Oct 21 08:19:42 host.company.com 2024-10-21T13:19:42.391606+00:00 host sendmail[8920]: 49L2pZMi015103: to=recipient@company.com, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, tls_verify=NONE, tls_version=NONE, cipher=NONE, pri=261675, relay=host.company.com. [X.X.X.X], dsn=2.6.0, stat=Sent (105f7c9d-76a2-a595-e329-617f87ba2602@company.com [InternalId=19267223300036, Hostname=HOSTNAME.company.com] 145203 bytes in 0.663, 213.865 KB/sec Queued mail for delivery)
	Oct 21 08:19:41 host.company.com 2024-10-21T13:19:41.715034+00:00 host filter_instance1[31332]: rprt s=42cu1tbqet m=1 x=42cu1tbqet-1 mod=mail cmd=msg module= rule= action=continue attachments=4 rcpts=1 routes=allow_relay,default_inbound,internalnet size=143489 guid=jb9XbZ5Gez432DgKTDz22jNgntXrF6xb hdr_mid=105f7c9d-76a2-a595-e329-617f87ba2602@company.com qid=49L2pZMi015103 hops-ip=Y.Y.Y.Y subject="Your Weekly Insights" duration=0.095 elapsed=0.353
	Oct 21 08:19:41 host.company.com 2024-10-21T13:19:41.714759+00:00 usdfwppserai1 filter_instance1[31332]: rprt s=42cu1tbqet m=1 x=42cu1tbqet-1 cmd=send profile=mail qid=49L2pZMi015103 rcpts=recipient@company.com
	Oct 21 08:19:41 host.company.com 2024-10-21T13:19:41.675365+00:00 host sendmail[15103]: 49L2pZMi015103: from=sender@company.com, size=141675, class=0, nrcpts=1, msgid=105f7c9d-76a2-a595-e329-617f87ba2602@company.com, proto=ESMTP, daemon=MTA, tls_verify=NONE, tls_version=NONE, cipher=NONE, auth=NONE, relay=host.company.com [Z.Z.Z.Z]

I can extract message id (105f7c9d-76a2-a595-e329-617f87ba2602@company.com) and qid (49L2pZMi015103) from the topmost message and tie it this way to the bottom one, but this is only two events out of series of four. How would I generate complete view of all four events? I am looking to get sender and recipient SMTP addresses, subject and message sizes from top and bottom event.
Any help would be greatly appreciated.

Re: How to tie multiple events together (transaction, join, etc.)

ITWhisperer — Mon, 21 Oct 2024 16:00:27 GMT

Try something like this (although you will have to tweak it to get the size you want)

| eventstats values(hdr_mid) as msgid by qid | stats values(from) as sender, values(to) as recipient values(subject) as subject values(size) as size by msgid

topic Re: How to tie multiple events together (transaction, join, etc.) in Splunk Search

How to tie multiple events together (transaction, join, etc.)

Re: How to tie multiple events together (transaction, join, etc.)