Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can someone suggest few ways of correlation of two or more fields

asm_coe
Explorer
‎05-28-2019 03:10 AM

I have a ticket dump with following fields.
Transaction ID
Transaction Type
Description
Priority
urgency
Created On

Created By
Actual Closed
Resolution code
SR Type
App ID

My need to correlate among 2 fields. Please do provide few correlation search commands(SPL) with above fields. Also need to convert the search into dashboards.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎05-28-2019 03:27 AM

Hi @asm_coe,

Correlation takes place usually between multiple sources with similar fields. I think you're looking for building transactions. For that you can use the transaction command.

Your SPL would look like this :

index= yourIndex sourcetype=yourSourcetype | transaction Transaction_ID App_ID

This will combine all fields with similar transaction ID and APP ID together.

Official documentation here for the latest version:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

Let me know if that helps.

Cheers,
David

View solution in original post

Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎05-28-2019 03:27 AM

Hi @asm_coe,

Correlation takes place usually between multiple sources with similar fields. I think you're looking for building transactions. For that you can use the transaction command.

Your SPL would look like this :

index= yourIndex sourcetype=yourSourcetype | transaction Transaction_ID App_ID

This will combine all fields with similar transaction ID and APP ID together.

Official documentation here for the latest version:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

Let me know if that helps.

Cheers,
David

Reply
Solved! Jump to solution

asm_coe
Explorer
‎05-28-2019 03:59 AM

Thanks David for the quick help, Also please how can I convert this search into a dashboard. like chart or pie chart.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎05-28-2019 04:01 AM

Ah, that's the easy part ^^ After running the search right next to the search button there is a "save as" button. Click that, select dashboard panel and then select either to make a new dashboard or an existing one.
If you need some documentation about that let me know !

Reply
Solved! Jump to solution

asm_coe
Explorer
‎05-28-2019 04:11 AM

Thanks David for your help. Really appreciated.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎05-28-2019 04:16 AM

Most welcome ! Please upvote and accept the answer if it was helpful 🙂

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-28-2019 03:24 AM

You can do co-relation in multiple ways

  1. If each event contains all the fields => index=yourIndex sourcetype=yourSourceType Priority>2 Transaction_ID="12345"
  2. If you want to club multiple events, then do transaction command

Please do read about converting searches to Dashboard
1. Build basic dashboard => http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEN4
2. https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Createnewdashboard

Reply
Solved! Jump to solution

asm_coe
Explorer
‎05-28-2019 04:00 AM

Thanks Koshyk, Can you please suggest few correlation commands.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...