Event Correlation - Display events from two source...

mhpeters · ‎05-30-2017

I'm trying to do event correlation between two different sourcetypes using the following:

sourcetype=logweb host=s09 resultcode=503 | join _time [search sourcetype=OWAlog host=s09]

Only the events from the first sourcetype are being displayed. I need to see events from both sourcetypes.

What am I doing wrong?

mhpeters · ‎05-30-2017

I've tried a bunch of combinations taking into consideration the suggestions above. I'm still unable to view the actual events around the time of the 503 error in the logweb. Some searches (with the join) only display the logweb events, others(with transaction) only display the OWAlog events.

adonio · ‎05-31-2017

can you share sample data from both sourcetypes?
are you trying to see events around a 503 error from both sourcetypes?
what is the anticipated results and format?

mhpeters · ‎05-31-2017

Yes, I'm trying to see events around a 503 from both sourcetypes. Here's what is getting close to what I want:

((sourcetype=logweb) OR (sourcetype=OWAlog)) host=s09 | bin _time span=10s | transaction _time maxspan=30s | search resultcode=503

Here's a snipped of what is being returned:

::ffff:172.16.1.94 - amy [30/May/2017:17:59:51 --700] "POST /4DACTION/WebShowRACategories/ HTTP/1.1" 503 1680 ::ffff:172.16.1.91 - - [30/May/2017:17:59:56 --700] "GET /4DACTION/WebADCeSignWidget/201705300000168/General%20Release/30824217/ HTTP/1.1" 503 1680 ::ffff:172.16.1.91 - Nightingale [30/May/2017:17:59:56 --700] "GET /4DACTION/WebAppOrderEntry/Nightingale/Nightingale HTTP/1.1" 503 1680 May 30 17:59:58 172.16.1.53 zabbix Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) May 30 17:59:58 172.16.1.53 Concorde Concorde RA zabbix /4DAction/WebShowMenu May 30 17:59:58 172.16.1.53 zabbix Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

I would like to see events around both sides of the 503.

adonio · ‎05-31-2017

check these answers:
https://answers.splunk.com/answers/2602/can-splunk-filter-match-events-and-bring-back-neighbouring-e...
https://answers.splunk.com/answers/150509/how-to-get-events-around-identified-event.html
also, there is a function in GUI that does that.
pick the event you want, expand it, look for the time field, click on the down arrow, fill the dialog box with the amount of time you want to see events before and after the picked event

woodcock · ‎05-30-2017

Try this (assuming the events are close in time but do not have the exact same time):

((index="SomeIndexHere" sourcetype="logweb" resultcode="503") OR (index="OtherIndexHere" sourcetype="OWAlog")) host="s09"
| bin _time span=5m | stats values(*) AS * BY _time

mhpeters · ‎05-30-2017

This yielded output but I wasn't able to interpret the results.

cmerriman · ‎05-30-2017

Do they have the same time stamps? You might need to |bucket _time span=5s Or something if one source type has events a few seconds after the other.

Is there another field the two source types have in common?

adonio · ‎05-30-2017

looks like host is common
first search | join host [ search second search]

cmerriman · ‎05-31-2017

if they're filtering by host, it really won't do much.

Event Correlation - Display events from two sourcetypes

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Event Correlation - Display events from two sourcetypes

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25