Solved: How do you write a correlation search with a data ...

test_qweqwe · ‎12-01-2017

Hello my little friends.
I have logs from tomcat and they joined Web Data Model, so that means that I can write correlation search by using a data model.

For example, I have this search:

sourcetype="tomcat:access:log" request_uri="*struts2-rest-showcase*" AND status="500" | stats latest(_raw) as "orig_raw" values(request_uri) as "uri" values(http_method) as method values(status) as status count by "host", "src"

And I want to remake this search using Data Model and right now I have no idea how to do it.

I I've looked at many default correlation searches by ESS to understand how to write my own search and dat searches by so advance level that I even don't understand how they work 😞

woodcock · ‎12-03-2017

Try this;

| tstats summariesonly=t values(Web.url) AS url values(Web.http_method) AS method
WHERE Web.url="*struts2-rest-showcase*" AND Web.status="500"
BY Web.host Web.src

Do note that constraining to 500 means that the other status stuff is pointless because it will always be 500

View solution in original post

woodcock · ‎12-03-2017

Try this;

| tstats summariesonly=t values(Web.url) AS url values(Web.http_method) AS method
WHERE Web.url="*struts2-rest-showcase*" AND Web.status="500"
BY Web.host Web.src

Do note that constraining to 500 means that the other status stuff is pointless because it will always be 500

test_qweqwe · ‎12-04-2017

this search not working, but I see how it's looks, tnx!

test_qweqwe · ‎12-01-2017

Maybe I'm wrong but I think if I will remake search that in my OP post by using Data Model it's will solve my another question.

How do you write a correlation search with a data model?

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases