Event Correlation - Display events from two source...

mhpeters · ‎05-30-2017

I'm trying to do event correlation between two different sourcetypes using the following:

sourcetype=logweb host=s09 resultcode=503 | join _time [search sourcetype=OWAlog host=s09]

Only the events from the first sourcetype are being displayed. I need to see events from both sourcetypes.

What am I doing wrong?

mhpeters · ‎05-30-2017

I've tried a bunch of combinations taking into consideration the suggestions above. I'm still unable to view the actual events around the time of the 503 error in the logweb. Some searches (with the join) only display the logweb events, others(with transaction) only display the OWAlog events.

adonio · ‎05-31-2017

can you share sample data from both sourcetypes?
are you trying to see events around a 503 error from both sourcetypes?
what is the anticipated results and format?

mhpeters · ‎05-31-2017

Yes, I'm trying to see events around a 503 from both sourcetypes. Here's what is getting close to what I want:

((sourcetype=logweb) OR (sourcetype=OWAlog)) host=s09 | bin _time span=10s | transaction _time maxspan=30s | search resultcode=503

Here's a snipped of what is being returned:

::ffff:172.16.1.94 - amy [30/May/2017:17:59:51 --700] "POST /4DACTION/WebShowRACategories/ HTTP/1.1" 503 1680 ::ffff:172.16.1.91 - - [30/May/2017:17:59:56 --700] "GET /4DACTION/WebADCeSignWidget/201705300000168/General%20Release/30824217/ HTTP/1.1" 503 1680 ::ffff:172.16.1.91 - Nightingale [30/May/2017:17:59:56 --700] "GET /4DACTION/WebAppOrderEntry/Nightingale/Nightingale HTTP/1.1" 503 1680 May 30 17:59:58 172.16.1.53 zabbix Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) May 30 17:59:58 172.16.1.53 Concorde Concorde RA zabbix /4DAction/WebShowMenu May 30 17:59:58 172.16.1.53 zabbix Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

I would like to see events around both sides of the 503.

adonio · ‎05-31-2017

check these answers:
https://answers.splunk.com/answers/2602/can-splunk-filter-match-events-and-bring-back-neighbouring-e...
https://answers.splunk.com/answers/150509/how-to-get-events-around-identified-event.html
also, there is a function in GUI that does that.
pick the event you want, expand it, look for the time field, click on the down arrow, fill the dialog box with the amount of time you want to see events before and after the picked event

woodcock · ‎05-30-2017

Try this (assuming the events are close in time but do not have the exact same time):

((index="SomeIndexHere" sourcetype="logweb" resultcode="503") OR (index="OtherIndexHere" sourcetype="OWAlog")) host="s09"
| bin _time span=5m | stats values(*) AS * BY _time

mhpeters · ‎05-30-2017

This yielded output but I wasn't able to interpret the results.

cmerriman · ‎05-30-2017

Do they have the same time stamps? You might need to |bucket _time span=5s Or something if one source type has events a few seconds after the other.

Is there another field the two source types have in common?

adonio · ‎05-30-2017

looks like host is common
first search | join host [ search second search]

cmerriman · ‎05-31-2017

if they're filtering by host, it really won't do much.

Event Correlation - Display events from two sourcetypes

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!