Splunk Search

Correlating events across multiple sources and multiple keys



I'm after some advice on the best way to create a search for the following scenario.

I have 3 data sources, A,B,C where there is a common field between A<-->B and a different common field between B<-->C

What I want to find, is how many events occur in A and C. I can see that I can create a transaction across A&B or B&C, but I'm unsure how to correlate across these sources when the common information changes.

Any tips would be great!

0 Karma

Splunk Employee
Splunk Employee

Lets call one field the ab and the other bc.

This is sort of ambiguous:

how many events occur in A and C

Are you looking for events that started in A and went through to B to C ? The count of events that have a relationship via B, from A<-->C ?

Have you considered using a field alias in B so that the same field can be used from A<-->C , that is, ab also equals ac ?

0 Karma

Splunk Employee
Splunk Employee

The reason I'm asking for your clarification on this is because, if you're really only looking for counts, there is absolutely no reason to use the transaction command

0 Karma


You are right. Transaction is very powerful command but there is a limitation of it - its not advisable to use in clustered environment and it takes lot of resources too.

Another alternative is to use - subsearch.

sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B | table ]

For e.g.
Sourcetype A and Sourcetype B - common field is ipaddress
Sourcetype B and Sourcetype C - common field is username

sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B ipaddress=* ipaddress | table username]

1) First search for information in sourcetype A and B using common field between A and B and identify the field which is common between B and C (i.e. table username)
2) Pass results from inner query to outer query.

Hope this helps.

0 Karma


So assuming your data looks like this:

event_1A sessionID=someValue
event_1B sessionID=someValue jqueryResponse=someValue
event_1C jqueryResponse=someValue

Then you can do a double transaction (NOTE: I'm doing this off the top of my head so yeah it could not work right - you may need to finagle.)

<your_search_for_events> | transaction sessionID keeporphans=true | transaction jqueryResponse | <do_other_things>

There may be a more streamlined search, but this one comes to mind.

0 Karma

Splunk Employee
Splunk Employee

Couldn't you just do transaction sessionID jqueryResponse instead of two transactions?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...