Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combining multiple events from downloading external document into a reportable event

DarthHerm
Explorer
‎03-28-2025 01:49 PM

This has been scratching my head. I'm working on dashboards on user activity on our application. Multiple dashboards I am working I'm trying to report when an external document was downloaded that is tied to the specific module of our application. Our application utilizes uses SQL. When I download an external document in our application, it generates a total of 12 separate events.  I set up field extractions on the DocumentId, DocumentTypeId, and DocmentFileTypeId. 

What I am trying to do with the 12 separate events is to show in one event with the DocumentTypeId DocumentId and DocumentFileTypeId (not as much needed). The DocumentTypeId is my primary event since it's tied to the dashboard for the specific module followed by the DocumentId. The DocumentTypeId tells me what the file is pertaining to the system, DocumentFileTypeId if it's a PDF or a different type, and the DocumentTypeId is the document number in SQL. For the time, I am using _time instead of accessDate in the events. All 12 was from the single download even with the three accessDate times. 

Tried a few different commands and searches now and just can't seem to get it to report correctly. When I think I have it correct, it's not the case when I expand the search range where for example all my Document Ids would also list the same DocumentTypeId which I verified against the DB to be incorrect when I used the join command. 

This is the raw events that were exported and sanitized for the post. The events have a valid _json. T

{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentFileTypeGetById","commandText":"ref.DocumentFileTypeGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentFileTypeId","value":7}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentAttributeGetByDocumentTypeId","commandText":"ref.DocumentAttributeGetByDocumentTypeId","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentTypeId","value":00},{"name":"@IncludeInactive","value":false}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentDetailGetByParentId","commandText":"ref.DocumentDetailGetByParentId","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentStatusHistoryGetByFK","commandText":"ref.DocumentStatusHistoryGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentVersionId","value":000000},{"name":"@IncludeInactive","value":""}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentVersionGetByFK","commandText":"ref.DocumentVersionGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentLinkGetByFK","commandText":"ref.DocumentLinkGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8614186-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentGetById","commandText":"ref.DocumentGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.8457543-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument","method":"Page_Load"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"Get"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentFileTypeGetById","commandText":"ref.DocumentFileTypeGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentFileTypeId","value":7}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentStatusHistoryGetByFK","commandText":"ref.DocumentStatusHistoryGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentVersionId","value":000000},{"name":"@IncludeInactive","value":""}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentVersionGetByFK","commandText":"ref.DocumentVersionGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentLinkGetByFK","commandText":"ref.DocumentLinkGetByFK","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]}
{"auditResultSets":null,"schema":"ref","storedProcedureName":"DocumentGetById","commandText":"ref.DocumentGetById","Locking":null,"commandType":4,"parameters":[{"name":"@RETURN_VALUE","value":0},{"name":"@DocumentId","value":000000}],"serverIPAddress":"000.000.000.000","serverHost":"Webserver","clientIPAddress":"000.000.000.000","sourceSystem":"WebSite","module":"Vendor.Product.BLL.DocumentManagement","accessDate":"2025-03-21T16:37:14.736377-06:00","userId":0000,"userName":"username","traceInformation":[{"type":"Page","class":"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain","method":"ViewDocument"},{"type":"Manager","class":"Vendor.Product.BLL.DocumentManagement.DocumentManager","method":"GetLatestDocumentwithoutAttributes"}]}





Labels (1)
Labels
0 Karma
Reply

DarthHerm
Explorer
‎04-04-2025 12:38 PM

I pulled up the original the events and then also downloaded a different external document from our system to generate those logs. I trimmed it down from the 12 events to 3. I reduced the sanitizing to help out.

In the dashboards the DocumentTypeId is where I am starting with because that identifies which module the file is located in our application. The DocumentId is the SQL document Id number assigned to the file. Lastly the DocumentFileTypeId identifies the file format.

I'm also looking at leverage the DBConnect add-on. I'm also looking at that as an option and use the DocumentId for the search instead. 



{ [-]
Locking: null
accessDate: 2025-03-21T16:37:14.8614186-06:00
auditResultSets: null
clientIPAddress: 255.255.255.255
commandText: ref.DocumentFileTypeGetById
commandType: 4
module: Vendor.PRODUCT.BLL.DocumentManagement
parameters: [ [-]
{ [-]
name: @RETURN_VALUE
value: 0
}
{ [-]
name: @DocumentFileTypeId
value: 7
}
]
schema: ref
serverHost: Webserver
serverIPAddress: 255.255.255.255
sourceSystem: WebSite
storedProcedureName: DocumentFileTypeGetById
traceInformation: [ [-]
{ [-]
class: Vendor.PRODUCT.Web.UI.Website.DocumentManagement.ViewDocument
method: Page_Load
type: Page
}
{ [-]
class: Vendor.PRODUCT.BLL.DocumentManagement.DocumentManager
method: Get
type: Manager
}
]
userId: UserNumber
userName: Username
}{ [-]
Locking: null
accessDate: 2025-03-21T16:37:14.8614186-06:00
auditResultSets: null
clientIPAddress: 255.255.255.255
commandText: ref.DocumentFileTypeGetById
commandType: 4
module: Vendor.PRODUCT.BLL.DocumentManagement
parameters: [ [-]
{ [-]
name: @RETURN_VALUE
value: 0
}
{ [-]
name: @DocumentFileTypeId
value: 7
}
]
schema: ref
serverHost: Webserver
serverIPAddress: 255.255.255.255
sourceSystem: WebSite
storedProcedureName: DocumentFileTypeGetById
traceInformation: [ [-]
{ [-]
class: Vendor.PRODUCT.Web.UI.Website.DocumentManagement.ViewDocument
method: Page_Load
type: Page
}
{ [-]
class: Vendor.PRODUCT.BLL.DocumentManagement.DocumentManager
method: Get
type: Manager
}
]
userId: UserNumber
userName: Username
}

{ [-]
Locking: null
accessDate: 2025-03-21T16:37:14.8614186-06:00
auditResultSets: null
clientIPAddress: 255.255.255.255
commandText: ref.DocumentAttributeGetByDocumentTypeId
commandType: 4
module: Vendor.PRODUCT.BLL.DocumentManagement
parameters: [ [-]
{ [-]
name: @RETURN_VALUE
value: 0
}
{ [-]
name: @DocumentTypeId
value: 92
}
{ [-]
name: @IncludeInactive
value: false
}
]
schema: ref
serverHost: Webserver
serverIPAddress: 255.255.255.255
sourceSystem: WebSite
storedProcedureName: DocumentAttributeGetByDocumentTypeId
traceInformation: [ [-]
{ [-]
class: Vendor.PRODUCT.Web.UI.Website.DocumentManagement.ViewDocument
method: Page_Load
type: Page
}
{ [-]
class: Vendor.PRODUCT.BLL.DocumentManagement.DocumentManager
method: Get
type: Manager
}
]
userId: UserNumber
userName: Username
}

 

Preview file
3 KB
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2025 02:25 PM

These representations of your events are not formatted as JSON data (your original post was not either although it was a lot closer). Please repost your events in unformatted form e.g. with double quotes around field names and strings, etc. This makes it a lot easier for volunteers to try out solutions on your data before posting suggestions, which will be more efficient in the long run.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-02-2025 10:23 PM

If I read your context correctly, you want to use values of "name" in parameters as key, and those of "value" as value, like the following based on your sample data.

storedProcedureNameDocumentFileTypeIdDocumentIdDocumentTypeIdDocumentVersionIdIncludeInactiveRETURN_VALUE
DocumentFileTypeGetById7    0
DocumentAttributeGetByDocumentTypeId  00 false0
DocumentDetailGetByParentId 000000   0
DocumentStatusHistoryGetByFK   000000 0
DocumentVersionGetByFK 000000   0
DocumentLinkGetByFK 000000   0
DocumentGetById 000000   0
DocumentFileTypeGetById7    0
DocumentStatusHistoryGetByFK   000000 0
DocumentVersionGetByFK 000000   0
DocumentLinkGetByFK 000000   0
DocumentGetById 000000   0

Here, I preserved storedProcedureName as reference.  Also note that when you sanitize sample data, any fake value with multiple zeros (0s) must be quoted in order to be valid JSON.

To return the above, use JSON functions introduced in 8.1:

| eval kvparams = json_object()
| foreach parameters mode=json_array
    [eval kvparams = json_set(kvparams, json_extract(<<ITEM>>, "name"), json_extract(<<ITEM>>, "value"))]
| spath input=kvparams
| rename @* as *

Here is a full emulation using the 12 events (with corrected JSON syntax) for you to play with and compare with real data.

| makeresults format=json data="[
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentFileTypeGetById\",\"commandText\":\"ref.DocumentFileTypeGetById\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentFileTypeId\",\"value\":7}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentAttributeGetByDocumentTypeId\",\"commandText\":\"ref.DocumentAttributeGetByDocumentTypeId\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentTypeId\",\"value\":\"00\"},{\"name\":\"@IncludeInactive\",\"value\":false}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentDetailGetByParentId\",\"commandText\":\"ref.DocumentDetailGetByParentId\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentStatusHistoryGetByFK\",\"commandText\":\"ref.DocumentStatusHistoryGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentVersionId\",\"value\":\"000000\"},{\"name\":\"@IncludeInactive\",\"value\":\"\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentVersionGetByFK\",\"commandText\":\"ref.DocumentVersionGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentLinkGetByFK\",\"commandText\":\"ref.DocumentLinkGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8614186-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentGetById\",\"commandText\":\"ref.DocumentGetById\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.8457543-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.ViewDocument\",\"method\":\"Page_Load\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"Get\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentFileTypeGetById\",\"commandText\":\"ref.DocumentFileTypeGetById\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentFileTypeId\",\"value\":7}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentStatusHistoryGetByFK\",\"commandText\":\"ref.DocumentStatusHistoryGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentVersionId\",\"value\":\"000000\"},{\"name\":\"@IncludeInactive\",\"value\":\"\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentVersionGetByFK\",\"commandText\":\"ref.DocumentVersionGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentLinkGetByFK\",\"commandText\":\"ref.DocumentLinkGetByFK\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]},
{\"auditResultSets\":null,\"schema\":\"ref\",\"storedProcedureName\":\"DocumentGetById\",\"commandText\":\"ref.DocumentGetById\",\"Locking\":null,\"commandType\":4,\"parameters\":[{\"name\":\"@RETURN_VALUE\",\"value\":0},{\"name\":\"@DocumentId\",\"value\":\"000000\"}],\"serverIPAddress\":\"000.000.000.000\",\"serverHost\":\"Webserver\",\"clientIPAddress\":\"000.000.000.000\",\"sourceSystem\":\"WebSite\",\"module\":\"Vendor.Product.BLL.DocumentManagement\",\"accessDate\":\"2025-03-21T16:37:14.736377-06:00\",\"userId\":\"0000\",\"userName\":\"username\",\"traceInformation\":[{\"type\":\"Page\",\"class\":\"Vendor.Product.Web.UI.Website.DocumentManagement.DocumentManagementMain\",\"method\":\"ViewDocument\"},{\"type\":\"Manager\",\"class\":\"Vendor.Product.BLL.DocumentManagement.DocumentManager\",\"method\":\"GetLatestDocumentwithoutAttributes\"}]}
]"
| fields parameters storedProcedureName
| eval kvparams = json_object()
| foreach parameters mode=json_array
    [eval kvparams = json_set(kvparams, json_extract(<<ITEM>>, "name"), json_extract(<<ITEM>>, "value"))]
| spath input=kvparams
| rename @* as *
| fields - _* parameters kvparams

 

Tags (2)
0 Karma
Reply

DarthHerm
Explorer
‎03-31-2025 09:00 AM

Yes the data has a valid json in for these events. For the post, I exported the raw events and sanitized it for the post in the community. If that wasn't the best way to go about it, let me know. I'm only starting to post on the Splunk community. 

Wen I ran the extended search, the one event that ties them all together is return_value with a value of 0. Try running the stats on return_value? 


0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-02-2025 12:56 AM

My guess would be no - it is likely that return value of zero is used in multiple unrelated events.

Perhaps you have over sanitised the events which has hidden some clues which might help us suggest other ways to group the events.

Please share at least two sets of events, related to at least two different business events, e.g. downloading different external documents, with as little sanitisation as possible. Obviously, try not to give away any sensitive or proprietary information.

Given that you have three accessDates for the sets of events, and assuming DocumentId is unique for your business event / download, you could also try something like this

| eval parameters=json_array_to_mv(json_extract_exact(_raw,"parameters"))
| mvexpand parameters
| spath input=parameters
| spath accessDate
| eval name="field_".trim(name,"@")
| eval {name}=value
| stats values(field_*) as * by accessDate
| stats values(*) as * by DocumentId

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-28-2025 02:43 PM

Assuming your real data has valid json in (not this mangled version of it), you could start by extracting the parameter name/value pairs for each event.

| eval parameters=json_array_to_mv(json_extract_exact(_raw,"parameters"))
| streamstats count as row
| mvexpand parameters
| spath input=parameters
| eval name="field_".trim(name,"@")
| eval {name}=value
| stats values(field_*) as * by row

If you have a common event id which identifies all these events to your single download event, you could stats by this id instead of row

Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...