Dashboards & Visualizations

Finding related events based on occurrence of keywords in one of the common text fields

macadminrohit
Contributor

We are trying to create a dashboard where , we need to find the number of occurrences where one event had certain keyword and another event had certain event. We suspect that one event may have caused another event. How can we achieve this , below are some sample events:

As you can see "AuthenticationPage" log happened , we want to know if any of the other events with Unhandled exception or App crash happened before the first event.

{"bdy":{"msg":"AuthenticationPage loaded.","metricName":"PageLoad","metricValue":"AuthenticationPage","measuredTime":"00:00:00.2587706"},"hdr":{"level":"Information","timestamp":"2018-02-07T21:59:12.3973812Z","lineNum":0,"loc":"ABC","ABCId":"0170","ip":"xx.xx.xx.xx","hostName":"xx.xx","macaddress":"mac-d","eventid":0,"appVersion":"18","appName":"Logon","deviceModel":"","osVersion":"1944","firmwareVersion":"17222.0"},"ver":"0.1"}

{"bdy":{"msg":"**Unhandled Exception**","ex":{"Msg":"Unable to Claim . P.Scanner.GetDefaultAsync() returned null. This generally means you need to add DeviceCapability for Service in Package.appxmanifest file.","StackTrace":" at Abcde.Core.device.WinRT.Scanner.d__32.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at

Tags (1)
0 Karma
1 Solution

HiroshiSatoh
Champion

What about using transaction commands?

 | transaction startswith="AuthenticationPage " endswith="Unhandled exception" OR "App crash happened"

View solution in original post

0 Karma

HiroshiSatoh
Champion

What about using transaction commands?

 | transaction startswith="AuthenticationPage " endswith="Unhandled exception" OR "App crash happened"
0 Karma

macadminrohit
Contributor

For now i am using transaction but i heard that it is very resource intensive.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...