Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Correlating events across multiple sources and multiple keys

rjlohan
Explorer
‎06-23-2015 05:28 PM

Hi,

I'm after some advice on the best way to create a search for the following scenario.

I have 3 data sources, A,B,C where there is a common field between A<-->B and a different common field between B<-->C

What I want to find, is how many events occur in A and C. I can see that I can create a transaction across A&B or B&C, but I'm unsure how to correlate across these sources when the common information changes.

Any tips would be great!

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-24-2015 12:28 PM

Lets call one field the ab and the other bc.

This is sort of ambiguous:

how many events occur in A and C

Are you looking for events that started in A and went through to B to C ? The count of events that have a relationship via B, from A<-->C ?

Have you considered using a field alias in B so that the same field can be used from A<-->C , that is, ab also equals ac ?

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-24-2015 12:36 PM

The reason I'm asking for your clarification on this is because, if you're really only looking for counts, there is absolutely no reason to use the transaction command

0 Karma
Reply

vinitatsky
Communicator
‎06-24-2015 10:05 AM

You are right. Transaction is very powerful command but there is a limitation of it - its not advisable to use in clustered environment and it takes lot of resources too.

Another alternative is to use - subsearch.

sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B | table ]

For e.g.
Sourcetype A and Sourcetype B - common field is ipaddress
Sourcetype B and Sourcetype C - common field is username

sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B ipaddress=* ipaddress | table username]

1) First search for information in sourcetype A and B using common field between A and B and identify the field which is common between B and C (i.e. table username)
2) Pass results from inner query to outer query.

Hope this helps.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎06-23-2015 06:15 PM

So assuming your data looks like this:

event_1A sessionID=someValue
event_1B sessionID=someValue jqueryResponse=someValue
event_1C jqueryResponse=someValue

Then you can do a double transaction (NOTE: I'm doing this off the top of my head so yeah it could not work right - you may need to finagle.)

<your_search_for_events> | transaction sessionID keeporphans=true | transaction jqueryResponse | <do_other_things>

There may be a more streamlined search, but this one comes to mind.

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-24-2015 10:31 AM

Couldn't you just do transaction sessionID jqueryResponse instead of two transactions?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...