Splunk Search

Get loginID correlating to another event

tomdepunkt
New Member

Hi everyone,

I'm currently struggling getting the results I want to receive.

I have a different set of logs, but only need information from two of them. One which logs the method used and another log which contains information about the users.

The objective is, to only extract loginIDs which are relating to events happend in the method logs. The only relation between them, is the sessionID, but the amount of logfiles contains so many entries, that a join is just unpractical.

Example Logfiles:

2019-02-20T09:15:10+01:00 hostname_02 server_name: 2019-02-20 09:15:10 INFO  <<<<< object=BackendService_v08, method=getUsername, clID=123456789abcdefg

-

2019-02-20T09:15:15+01:00 hostname_02 server_name: 2019-02-20 09:15:15 INFO  (source='session, httpSessionId='123456789abcdefg') RuntimeUserInfo (loginId='dummy' firstName='Test' lastName='User' userId='1234' clientId='99')

I now want to extract the loginId of the relating user (1234) and the method (getUsername). It is possible, that a user executed more than just one method, which then should be grouped by the clientId. However, the only shared information is the clID which is stored in the httpSessionId. Because of approximately 8 million events, a join containing a subsearch is regarding execution time no appropriate solution.

Is there any feasible way to correlate those events and get the userId together with its used methods?

Thanks in advance.

Tom

0 Karma

knielsen
Contributor

Yeah, you don't want to use join. Let's pretend your sourcetypes are "msglog" and "infolog":

(index=A sourcetype=msglog) OR (index=B sourcetype=infolog) 
| eval id=case(sourcetype="msglog",clID,sourcetype="infolog",httpSessionId)
| stats values(userId) as userId values(method) as method by id

should get be pretty close to what you want.

Tip: Look up the "Let stats sort them out" session recording by Nick Mealy at .conf2016 🙂

Hth,
-Kai.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@tomdepunkt,
If you have one user per session, then try

(source="first log file" OR source="second log file")  "other search terms" 
|rename clID as httpSessionId
|stats values(userId) as userId,values(method) as method by httpSessionId
Happy Splunking!
0 Karma

tomdepunkt
New Member

@renjith.nair

This actually comes pretty close. It groups the findings of the used methods by the SessionId, but unfortunately doesn't list any loginId at all.

EDIT:
After a small modification and correcting a typo I made, it seems like it works like a charm. Thank you very much, that saves a lot of time.

0 Karma

tomdepunkt
New Member

Hi,

thanks for your suggestion. Unfortunately a user can have different sessions over time. Sorry, that I forgot to mention that in my previous post.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...