Splunk Search

Event Correlation

ninadmnaik
Explorer

I have two events:

Event 1:
transactionId=123 field_x=x_value

Event 2
transactionId=123 status=success

How can I correlate these two?
I want to create a timechart for “field_x” when “status=success”

So, basically, the search quey is:
transactionId field_x | timechart count by field_x

But I want to get all “field_x” only when status=success.

So, I guess this is equivalent to SQL IN() construct:
SELECT field_x from table where transactionId IN (SELECT transactionId from table where status=success);

I am trying to do a subsearch like:
source="source1" field_x=* transactionId [search source="source1" AND status=success | fields transactionId] | timechart count by field_x

Doesn't seem to be working.

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

Try this:

yoursearchhere | 
transaction transactionId | 
search status=success | 
timechart count by field_x

I think you were making it too hard! 🙂

View solution in original post

lguinn2
Legend

Try this:

yoursearchhere | 
transaction transactionId | 
search status=success | 
timechart count by field_x

I think you were making it too hard! 🙂

View solution in original post

ninadmnaik
Explorer

Oh yeah, you're right. That did it. Thanks a bunch !!

0 Karma

lguinn2
Legend

The transaction consists of a set of events, all with the same transactionId. The search command applies to the entire transaction, not the individual events. So the AND should be okay.

0 Karma

lguinn2
Legend

What do you get when you just do

source="source1" field_x=* OR status=success |
transaction transactionId

0 Karma

ninadmnaik
Explorer

As per your new suggestion, that won't work, because:
search status=success AND field_x="*"

For the above to work, both the fields should be in the same logging event right? But they aren't.
I have two different logging events as:

Event 1:
transactionId=123 field_x=x_value

Event 2
transactionId=123 status=success

0 Karma

ninadmnaik
Explorer

No, I take it back. When I said it was working, I missed the following line (bold) in the query:

source="source1" field_x=* OR status=success |
transaction transactionId |
search status=success |
timechart count by field_x

If I add this line "search status=success", I don't get any results. And without checking whether "status=success" I will get all "field_x" values for which "status=failed" as well.

0 Karma

lguinn2
Legend

I think that you have some transactions that do not have field_x in them. Try this

source="source1" field_x=* OR status=success |
transaction transactionId |
search status=success AND field_x="*" |
timechart count by field_x

0 Karma

ninadmnaik
Explorer

No, you are right. Updated my query to:

source="source1" field_x=* OR status=success |
transaction transactionId |
search status=success |
timechart count by field_x

Now it's giving me the chart.

However, one little thing. Along with the four values of "field_x" it's also showing a value "NULL". Wonder why is that.

Will update this when I find out about NULL.

Please let me know if you have an idea.

Thanks a bunch for your answer.

0 Karma

ninadmnaik
Explorer

Oh yes, that does make sense. But this isn't working either. Splunk isn't finding any matching events.

Here's the updated query as per your suggestion.

source="source1" field_x=* |
transaction transactionId |
search status=success |
timechart count by field_x

0 Karma