topic Re: events correlation rules in Splunk Search

events correlation rules

trazomtg — Thu, 28 Aug 2025 12:39:35 GMT

hi,

how to correlate event with event correlation rule ? so, how can i write a correlation rule ?

Thanks a lot

Re: events correlation rules

livehybrid — Thu, 28 Aug 2025 12:58:52 GMT

In order for us to help you please could you provide more detail on what you are trying to achieve and product(s) you’re using.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful

Marking it as the solution if it resolved your issue

Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Re: events correlation rules

PickleRick — Thu, 28 Aug 2025 13:03:54 GMT

Correlation search is just a scheduled search with extra steps. So you need to know what you are looking for write a search looking for it (preferably an effective one since it's gonna be spawned often probably) and configure the rest of the settings for the correlation search (which will be different depending on whether you mean a correlation search in SE or ITSI)

Re: events correlation rules

trazomtg — Thu, 28 Aug 2025 13:13:59 GMT

hi,

it's simple. I receive lot of events from different hosts. They mention that all the hosts are down. but the reason is that the router connected to these hosts is down. So i don't want to receive messages from hosts but just 1 message from the router

Re: events correlation rules

gcusello — Thu, 28 Aug 2025 13:25:50 GMT

Hi @trazomtg ,

as the others already said, in Splunk, you can correlate events from the same or different data sources, even if etherogenous or different.

The rule to create a correlation search, is to identify the correlation key, in other words the fields to use to correlate the different events.

We could help you, but it's mandatory to have more details about the data flows to correlate.

as an exmple, you could correlate access logs to a windows server with an entrance badge, so if in windows the login is recognized by user and EventCode=4624 and e.g. in the entrance badge the user field is username and the action is action="access", you could create a search like the following:

(index=wineventlog EventCode=4624) OR (index=entrance_badge action="access") | user=coalesce(user,username) | stats earliest(eval(if(index=wineventlog,_time,""))) AS wineventlog_time earliest(eval(if(index=entrance_badge,_time,""))) AS entrance_badge_time dc(index) AS index_count BY user | eval wineventlog_time=strftime(wineventlog_time,"%Y-%m-%d %H:%M:%S"), entrance_badge_time=strftime(entrance_badge_time,"%Y-%m-%d %H:%M:%S")

In this way, you can check that a user is present in the office when accessed a server.

Ciao.

Giuseppe

Re: events correlation rules

yuanliu — Fri, 29 Aug 2025 07:01:43 GMT

As @gcusello indicates, you will need a common/correlation field between host message and router message. It is best for you to illustrate your data, even mock data, and illustrate how you want the output to be. (You have just explained the logic between input and desired output. This is good.)

Short of your illustrations, let me assume that the common field in host message (sourcetype=host_message) is named gateway, and that in router message (sourcetype=router_message) is named side_a. Assume further that there is a field named status in both. (But statuses are independent despite a common name.)

While the above assumptions about data are reasonable, it is even more critical to have your input about your use case, i.e., desired results. Here, I imagine that you want Splunk to output all host failure messages if their common gateway is up, but if a common gateway is down, you want to suppress host failure messages, only output router failure message.

This is how you should describe your use case using data:

host:

gateway	host	sourcetype	status
10.0.0.1	host1	host_message	up
10.0.0.1	host2	host_message	down
10.0.1.1	host3	host_message	down
10.0.0.1	host4	host_message	up
10.0.1.1	host5	host_message	down
10.0.0.1	host6	host_message	down
10.0.1.1	host7	host_message	down

router:

host	side_a	sourcetype	status
router1	10.0.0.1	router_message	up
router2	10.0.1.1	router_message	down

Desired results:

gateway	host	side_a	sourcetype	status
10.0.0.1	host2		host_message	down
10.0.0.1	host6		host_message	down
	router2	10.0.1.1	router_message	down

Logic between data and desired results:

When a gateway router is down, I don't want to see host failure messages using that gateway.

This is a search to get such output from illustrated data:

sourcetype IN (host_message, router_message) status = down | eval down_router = if(sourcetype == "router_message", host, null()) | eval router = coalesce(gateway, side_a) | eventstats values(down_router) as down_router by router | where isnull(down_router) or sourcetype == "router_message" | fields - down_router router

Here is an emulation for you to play with and compare with real data.

| makeresults format=csv data="host,gateway,status host1, 10.0.0.1, up host2, 10.0.0.1, down host3, 10.0.1.1, down host4, 10.0.0.1, up host5, 10.0.1.1, down host6, 10.0.0.1, down host7, 10.0.1.1, down" | eval sourcetype = "host_message" | append [ makeresults format=csv data="host, side_a, status router1, 10.0.0.1, up router2, 10.0.1.1, down" | eval sourcetype = "router_message"] | search status = down ``` the above emulates sourcetype IN (host_message, router_message) status = down ```