Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

macadminrohit
Contributor
‎02-07-2018 01:19 PM

Hi Experts,

I have got a requirement where I have a few events where one of the fields contains some keyword say "Unhandled exception" which is being followed by subsequent events with different keywords say "Authorisation Started".

So basically I am trying to analyze different events where the Field is the same but different keywords and we are trying to check for that relationship which will help us to find the count of events where one event led to another.

let me know if that is possible and through which command.

0 Karma
Reply

DUThibault
Contributor
‎02-07-2018 01:44 PM

Could you describe this in more detail? A sample set of events would do wonders. Also, do you want to do this at index time or at search time?

0 Karma
Reply

macadminrohit
Contributor
‎02-07-2018 02:04 PM

{"bdy":{"msg":"AuthenticationPage loaded.","metricName":"PageLoad","metricValue":"AuthenticationPage","measuredTime":"00:00:00.2587706"},"hdr":{"level":"Information","timestamp":"2018-02-07T21:59:12.3973812Z","lineNum":0,"loc":"ABC","ABCId":"0170","ip":"xx.xx.xx.xx","hostName":"xx.xx","macaddress":"mac-d","eventid":0,"appVersion":"18","appName":"Logon","deviceModel":"","osVersion":"1944","firmwareVersion":"17222.0"},"ver":"0.1"}

In the first event we have to catch for the keyword "AuthenticationPage Loaded" and check for any events in past 2-3 minutes if the below event(or any event ) happened which has error "Unhandled Exception" . And if that is the case we need the count based on the location.

{"bdy":{"msg":"Unhandled Exception","ex":{"Msg":"Unable to Claim . P.Scanner.GetDefaultAsync() returned null. This generally means you need to add DeviceCapability for Service in Package.appxmanifest file.","StackTrace":" at Abcde.Core.device.WinRT.Scanner.d__32.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at

I want to achieve this in a dashboard, so it will be at the search time.

0 Karma
Reply

elliotproebstel
Champion
‎02-07-2018 01:27 PM

This is definitely possible, and it will be easiest for us to help if you can provide some sample events (with sensitive data redacted, if necessary). When you post them, use the 101010 code button to wrap your events and make them more easily readable.

0 Karma
Reply

macadminrohit
Contributor
‎02-07-2018 02:03 PM

Here you go, below is the

{"bdy":{"msg":"AuthenticationPage loaded.","metricName":"PageLoad","metricValue":"AuthenticationPage","measuredTime":"00:00:00.2587706"},"hdr":{"level":"Information","timestamp":"2018-02-07T21:59:12.3973812Z","lineNum":0,"loc":"ABC","ABCId":"0170","ip":"xx.xx.xx.xx","hostName":"xx.xx","macaddress":"mac-d","eventid":0,"appVersion":"18","appName":"Logon","deviceModel":"","osVersion":"1944","firmwareVersion":"17222.0"},"ver":"0.1"}

In the first event we have to catch for the keyword "AuthenticationPage Loaded" and check for any events in past 2-3 minutes if the below event(or any event ) happened which has error "Unhandled Exception" . And if that is the case we need the count based on the location.

{"bdy":{"msg":"Unhandled Exception","ex":{"Msg":"Unable to Claim . P.Scanner.GetDefaultAsync() returned null. This generally means you need to add DeviceCapability for Service in Package.appxmanifest file.","StackTrace":" at Abcde.Core.device.WinRT.Scanner.d__32.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at

0 Karma
Reply

macadminrohit
Contributor
‎02-07-2018 02:30 PM

And good thing is that there is a field in these events which is macaddress and we want to capture these events for the same macaddress. So i am thinking we could do this using transaction command.

0 Karma
Reply

macadminrohit
Contributor
‎02-07-2018 02:07 PM

So basically these are JSON events which are automatically parsed by splunk into fields. And i need to search for the strings in bdy.msg field and find the number of such occurrences by another field (bdy.mac)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...