Correlation Analysis Labs- How do I modify search ...

Nadeem · ‎06-03-2023

index=web sourcetype=access_combined
| transaction _time,clientip, JSESSIONID,action

How do I Modify my search to display the transactions in a table for above SPL

gcusello · ‎06-04-2023

Hi @Nadeem,

I,'m not sure that you correlation runs, because using :time as key without a grouping using the bin (or bucket9 command, it's diffoicoult that more events have the same timestamp.

And anyway, I wouldn't use transaction command because it's a very slow command, I'd use stats, something like this (e.g. grouping for the same hour);

index=web sourcetype=access_combined
| bin span=1h _time
| stats count BY _time clientip JSESSIONID action

this search is surely faster than the previous one.

Ciao.

Giuseppe

isoutamo · ‎06-06-2023

Hi

as other already said, 1st you must define what you want to be in your transaction?

Usually it contains events mapped by client and JSESSIONID like

index=web sourcetype=access_combined
| transaction startswith=<any start action for transaction> endswith=<end action for transaction> clientip JSESSIONID
| table _time JSESSIONID clientip action
| sort 0 _time

You could/should change those parameters for transaction command based on what you want to find.

Also using stats like @gcusello shows is one option, but as said, 1st you need to know what is your transaction.

r. Ismo

yuanliu · ‎06-03-2023

Did you forget to tell us what you want the table to include? Are you just looking for table? For example, if you want fields a, b, c in addition to clientip, JSESSIONID,action, you can do

| table _time a b c clientip, JSESSIONID,action

Correlation Analysis Labs- How do I modify search to display the transactions in table?

table

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)