How to correlate events related to the same sessio...

ADRIANODL · ‎03-11-2019

Hi folks,

I have 2 indexes containing information as below:

index ABC

 _time                   sessionkey                      browser
 06/03/2019 01:15:20   XfRtG5R3FR$Er                   Chrome X
 06/03/2019 01:18:25   XfRtG5R3FR$Er                   Chrome X
 06/03/2019 03:28:10   FFT$WFTFETR%                    IE11
 06/03/2019 03:31:56   FFT$WFTFETR%                    IE11

index XYZ

   _time                    name     CRUD
 06/03/2019 01:16:22        John     Update

So, unfortunately, I don't have a session key in both indexes to tie in these two events.

How can I correlate these 2 logs by the date range? i.e. the event in index XYZ falls between the time range for session XfRtG5R3FR$Er

 TimeSessionStarted  TimeSessionFinished TimeofCRUD            sessionkey   name  CRUD
 06/03/2019 01:15:20 06/03/2019 01:18:25 06/03/2019 01:16:22 XfRtG5R3FR$Er John Update

skalliger · ‎03-12-2019

You can simply do a search like

index=abc OR index=XYZ
| your condition(s) here
| transaction _time maxspan=something
| search index=XYZ
| where ...

And do some additional conditioning. Maybe you need tuning maxspan to get the events ininside your transaction you want. For further details lookt at transaction.

Skalli

How to correlate events related to the same session from two indexes by time range

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!