Splunk Search
Highlighted

Event Correlation

Explorer

I have two events:

Event 1:
transactionId=123 fieldx=xvalue

Event 2
transactionId=123 status=success

How can I correlate these two?
I want to create a timechart for “field_x” when “status=success”

So, basically, the search quey is:
transactionId fieldx | timechart count by fieldx

But I want to get all “field_x” only when status=success.

So, I guess this is equivalent to SQL IN() construct:
SELECT field_x from table where transactionId IN (SELECT transactionId from table where status=success);

I am trying to do a subsearch like:
source="source1" fieldx=* transactionId [search source="source1" AND status=success | fields transactionId] | timechart count by fieldx

Doesn't seem to be working.

Tags (1)
0 Karma
Highlighted

Re: Event Correlation

Legend

Try this:

yoursearchhere | 
transaction transactionId | 
search status=success | 
timechart count by field_x

I think you were making it too hard! 🙂

View solution in original post

Highlighted

Re: Event Correlation

Explorer

Oh yes, that does make sense. But this isn't working either. Splunk isn't finding any matching events.

Here's the updated query as per your suggestion.

source="source1" fieldx=* |
transaction transactionId |
search status=success |
timechart count by field
x

0 Karma
Highlighted

Re: Event Correlation

Explorer

No, you are right. Updated my query to:

source="source1" fieldx=* OR status=success |
transaction transactionId |
search status=success |
timechart count by field
x

Now it's giving me the chart.

However, one little thing. Along with the four values of "field_x" it's also showing a value "NULL". Wonder why is that.

Will update this when I find out about NULL.

Please let me know if you have an idea.

Thanks a bunch for your answer.

0 Karma
Highlighted

Re: Event Correlation

Legend

I think that you have some transactions that do not have field_x in them. Try this

source="source1" field_x=* OR status=success |
transaction transactionId |
search status=success AND field_x="*" |
timechart count by field_x

0 Karma
Highlighted

Re: Event Correlation

Explorer

No, I take it back. When I said it was working, I missed the following line (bold) in the query:

source="source1" fieldx=* OR status=success |
transaction transactionId |
search status=success |
timechart count by field
x

If I add this line "search status=success", I don't get any results. And without checking whether "status=success" I will get all "field_x" values for which "status=failed" as well.

0 Karma
Highlighted

Re: Event Correlation

Explorer

As per your new suggestion, that won't work, because:
search status=success AND field_x="*"

For the above to work, both the fields should be in the same logging event right? But they aren't.
I have two different logging events as:

Event 1:
transactionId=123 fieldx=xvalue

Event 2
transactionId=123 status=success

0 Karma
Highlighted

Re: Event Correlation

Legend

What do you get when you just do

source="source1" field_x=* OR status=success |
transaction transactionId

0 Karma
Highlighted

Re: Event Correlation

Legend

The transaction consists of a set of events, all with the same transactionId. The search command applies to the entire transaction, not the individual events. So the AND should be okay.

0 Karma
Highlighted

Re: Event Correlation

Explorer

Oh yeah, you're right. That did it. Thanks a bunch !!

0 Karma