Splunk Search

Correlating events across multiple sources and multiple keys

Explorer

Hi,

I'm after some advice on the best way to create a search for the following scenario.

I have 3 data sources, A,B,C where there is a common field between A<-->B and a different common field between B<-->C

What I want to find, is how many events occur in A and C. I can see that I can create a transaction across A&B or B&C, but I'm unsure how to correlate across these sources when the common information changes.

Any tips would be great!

0 Karma

Splunk Employee
Splunk Employee

Lets call one field the ab and the other bc.

This is sort of ambiguous:

how many events occur in A and C

Are you looking for events that started in A and went through to B to C ? The count of events that have a relationship via B, from A<-->C ?

Have you considered using a field alias in B so that the same field can be used from A<-->C , that is, ab also equals ac ?

0 Karma

Splunk Employee
Splunk Employee

The reason I'm asking for your clarification on this is because, if you're really only looking for counts, there is absolutely no reason to use the transaction command

0 Karma

Communicator

You are right. Transaction is very powerful command but there is a limitation of it - its not advisable to use in clustered environment and it takes lot of resources too.

Another alternative is to use - subsearch.

sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B | table ]

For e.g.
Sourcetype A and Sourcetype B - common field is ipaddress
Sourcetype B and Sourcetype C - common field is username

sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B ipaddress=* ipaddress | table username]

1) First search for information in sourcetype A and B using common field between A and B and identify the field which is common between B and C (i.e. table username)
2) Pass results from inner query to outer query.

Hope this helps.

0 Karma

SplunkTrust
SplunkTrust

So assuming your data looks like this:

event_1A sessionID=someValue
event_1B sessionID=someValue jqueryResponse=someValue
event_1C jqueryResponse=someValue

Then you can do a double transaction (NOTE: I'm doing this off the top of my head so yeah it could not work right - you may need to finagle.)

<your_search_for_events> | transaction sessionID keeporphans=true | transaction jqueryResponse | <do_other_things>

There may be a more streamlined search, but this one comes to mind.

0 Karma

Splunk Employee
Splunk Employee

Couldn't you just do transaction sessionID jqueryResponse instead of two transactions?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!