https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138967#M38169 <P>What is your end goal? Are you trying to compare counts, or are you trying to correlate each Alerts event with an ExceptionLog event? Why are you putting it into a bucket specifically rather than simply working with search results? (Not that using a bucket is bad, but I am just looking for your thought process and reasoning so we can help you more.)</P> Tue, 12 Nov 2013 17:34:09 GMT jtrucks 2013-11-12T17:34:09Z https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138966#M38168 <P>I have two sourcetypes, one containing alerts from users that we have a problem, and another one with server logs. In a first stage, I would like to correlate the number of exceptions and the number of alerts received. I'm struggling with how to implement this, however. I tried starting from <CODE>(sourcetype="Alerts") OR (sourcetype="ExceptionLog" level="Warning" OR level="Error") | bin _time span=3h</CODE>. So, I would like to get the number of alerts in a bucket, and associate it with the number of exceptions in the same bucket, but how? I read <A href="http://blogs.splunk.com/2012/10/01/simple-correlation-in-splunk">http://blogs.splunk.com/2012/10/01/simple-correlation-in-splunk</A>, but didn't seem to work for my case.</P> Tue, 12 Nov 2013 17:07:31 GMT https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138966#M38168 nl_cape 2013-11-12T17:07:31Z https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138967#M38169 <P>What is your end goal? Are you trying to compare counts, or are you trying to correlate each Alerts event with an ExceptionLog event? Why are you putting it into a bucket specifically rather than simply working with search results? (Not that using a bucket is bad, but I am just looking for your thought process and reasoning so we can help you more.)</P> Tue, 12 Nov 2013 17:34:09 GMT https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138967#M38169 jtrucks 2013-11-12T17:34:09Z https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138968#M38170 <P>Try this</P> <PRE><CODE> (sourcetype="Alerts") OR (sourcetype="ExceptionLog" level="Warning" OR level="Error") | bucket _time span=1d | stats count(eval(sourcetype="Alerts")) as Alerts count(eval(sourcetype="ExceptionLog")) as Exceptions by host _time </CODE></PRE> <P>As @jtrucks pointed out, you didn't give any criteria for correlating the two sets of events, so I did it by host and day.</P> Tue, 12 Nov 2013 19:16:57 GMT https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138968#M38170 lguinn2 2013-11-12T19:16:57Z https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138969#M38171 <P>Interesting, that is precisely what I tried. What happens is that I get no results from <CODE>count(sourcetype="AnySource")</CODE>. I even tried <CODE>sourcetype!="Alerts")</CODE>, and I still get a count of zero. Removing the <CODE>stats</CODE> command, or removing the <CODE>sourcetype</CODE>, works as expected.</P> Wed, 13 Nov 2013 07:47:14 GMT https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138969#M38171 nl_cape 2013-11-13T07:47:14Z https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138970#M38172 <P>@jtrucks: The first idea is to explore if there is a correlation between user alerts and exceptions we log. I'd like to do a scatter plot of this over time, which should hopefully make this somewhat clear.</P> Wed, 13 Nov 2013 07:48:57 GMT https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138970#M38172 nl_cape 2013-11-13T07:48:57Z https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138971#M38173 <P>Ah. Changing it to <CODE>count(eval(sourcetype="Alerts"))</CODE> makes it work. As is clearly written in the docs. Whoops.</P> Wed, 13 Nov 2013 08:03:48 GMT https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138971#M38173 nl_cape 2013-11-13T08:03:48Z https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138972#M38174 <P>Aww, raspberry to me! I will fix the answer - thanks.</P> Thu, 14 Nov 2013 05:57:31 GMT https://community.splunk.com/t5/Splunk-Search/Frequency-correlation-between-different-sourcetypes/m-p/138972#M38174 lguinn2 2013-11-14T05:57:31Z