Archive

How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

Contributor

Hi Experts,

I have got a requirement where I have a few events where one of the fields contains some keyword say "Unhandled exception" which is being followed by subsequent events with different keywords say "Authorisation Started".

So basically I am trying to analyze different events where the Field is the same but different keywords and we are trying to check for that relationship which will help us to find the count of events where one event led to another.

let me know if that is possible and through which command.

0 Karma

Contributor

Could you describe this in more detail? A sample set of events would do wonders. Also, do you want to do this at index time or at search time?

0 Karma

Contributor

{"bdy":{"msg":"AuthenticationPage loaded.","metricName":"PageLoad","metricValue":"AuthenticationPage","measuredTime":"00:00:00.2587706"},"hdr":{"level":"Information","timestamp":"2018-02-07T21:59:12.3973812Z","lineNum":0,"loc":"ABC","ABCId":"0170","ip":"xx.xx.xx.xx","hostName":"xx.xx","macaddress":"mac-d","eventid":0,"appVersion":"18","appName":"Logon","deviceModel":"","osVersion":"1944","firmwareVersion":"17222.0"},"ver":"0.1"}

In the first event we have to catch for the keyword "AuthenticationPage Loaded" and check for any events in past 2-3 minutes if the below event(or any event ) happened which has error "Unhandled Exception" . And if that is the case we need the count based on the location.

{"bdy":{"msg":"Unhandled Exception","ex":{"Msg":"Unable to Claim . P.Scanner.GetDefaultAsync() returned null. This generally means you need to add DeviceCapability for Service in Package.appxmanifest file.","StackTrace":" at Abcde.Core.device.WinRT.Scanner.d__32.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at

I want to achieve this in a dashboard, so it will be at the search time.

0 Karma

This is definitely possible, and it will be easiest for us to help if you can provide some sample events (with sensitive data redacted, if necessary). When you post them, use the 101010 code button to wrap your events and make them more easily readable.

0 Karma

Contributor

Here you go, below is the

{"bdy":{"msg":"AuthenticationPage loaded.","metricName":"PageLoad","metricValue":"AuthenticationPage","measuredTime":"00:00:00.2587706"},"hdr":{"level":"Information","timestamp":"2018-02-07T21:59:12.3973812Z","lineNum":0,"loc":"ABC","ABCId":"0170","ip":"xx.xx.xx.xx","hostName":"xx.xx","macaddress":"mac-d","eventid":0,"appVersion":"18","appName":"Logon","deviceModel":"","osVersion":"1944","firmwareVersion":"17222.0"},"ver":"0.1"}

In the first event we have to catch for the keyword "AuthenticationPage Loaded" and check for any events in past 2-3 minutes if the below event(or any event ) happened which has error "Unhandled Exception" . And if that is the case we need the count based on the location.

{"bdy":{"msg":"Unhandled Exception","ex":{"Msg":"Unable to Claim . P.Scanner.GetDefaultAsync() returned null. This generally means you need to add DeviceCapability for Service in Package.appxmanifest file.","StackTrace":" at Abcde.Core.device.WinRT.Scanner.d__32.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at

0 Karma

Contributor

And good thing is that there is a field in these events which is macaddress and we want to capture these events for the same macaddress. So i am thinking we could do this using transaction command.

0 Karma

Contributor

So basically these are JSON events which are automatically parsed by splunk into fields. And i need to search for the strings in bdy.msg field and find the number of such occurrences by another field (bdy.mac)

0 Karma