Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I analyze different events where the field is the same but different keywords and get a count of events where one event led to another?

macadminrohit
Contributor
‎02-07-2018 01:19 PM

Hi Experts,

I have got a requirement where I have a few events where one of the fields contains some keyword say "Unhandled exception" which is being followed by subsequent events with different keywords say "Authorisation Started".

So basically I am trying to analyze different events where the Field is the same but different keywords and we are trying to check for that relationship which will help us to find the count of events where one event led to another.

let me know if that is possible and through which command.

0 Karma
Reply

DUThibault
Contributor
‎02-07-2018 01:44 PM

Could you describe this in more detail? A sample set of events would do wonders. Also, do you want to do this at index time or at search time?

0 Karma
Reply

macadminrohit
Contributor
‎02-07-2018 02:04 PM

{"bdy":{"msg":"AuthenticationPage loaded.","metricName":"PageLoad","metricValue":"AuthenticationPage","measuredTime":"00:00:00.2587706"},"hdr":{"level":"Information","timestamp":"2018-02-07T21:59:12.3973812Z","lineNum":0,"loc":"ABC","ABCId":"0170","ip":"xx.xx.xx.xx","hostName":"xx.xx","macaddress":"mac-d","eventid":0,"appVersion":"18","appName":"Logon","deviceModel":"","osVersion":"1944","firmwareVersion":"17222.0"},"ver":"0.1"}

In the first event we have to catch for the keyword "AuthenticationPage Loaded" and check for any events in past 2-3 minutes if the below event(or any event ) happened which has error "Unhandled Exception" . And if that is the case we need the count based on the location.

{"bdy":{"msg":"Unhandled Exception","ex":{"Msg":"Unable to Claim . P.Scanner.GetDefaultAsync() returned null. This generally means you need to add DeviceCapability for Service in Package.appxmanifest file.","StackTrace":" at Abcde.Core.device.WinRT.Scanner.d__32.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at

I want to achieve this in a dashboard, so it will be at the search time.

0 Karma
Reply

elliotproebstel
Champion
‎02-07-2018 01:27 PM

This is definitely possible, and it will be easiest for us to help if you can provide some sample events (with sensitive data redacted, if necessary). When you post them, use the 101010 code button to wrap your events and make them more easily readable.

0 Karma
Reply

macadminrohit
Contributor
‎02-07-2018 02:03 PM

Here you go, below is the

{"bdy":{"msg":"AuthenticationPage loaded.","metricName":"PageLoad","metricValue":"AuthenticationPage","measuredTime":"00:00:00.2587706"},"hdr":{"level":"Information","timestamp":"2018-02-07T21:59:12.3973812Z","lineNum":0,"loc":"ABC","ABCId":"0170","ip":"xx.xx.xx.xx","hostName":"xx.xx","macaddress":"mac-d","eventid":0,"appVersion":"18","appName":"Logon","deviceModel":"","osVersion":"1944","firmwareVersion":"17222.0"},"ver":"0.1"}

In the first event we have to catch for the keyword "AuthenticationPage Loaded" and check for any events in past 2-3 minutes if the below event(or any event ) happened which has error "Unhandled Exception" . And if that is the case we need the count based on the location.

{"bdy":{"msg":"Unhandled Exception","ex":{"Msg":"Unable to Claim . P.Scanner.GetDefaultAsync() returned null. This generally means you need to add DeviceCapability for Service in Package.appxmanifest file.","StackTrace":" at Abcde.Core.device.WinRT.Scanner.d__32.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at

0 Karma
Reply

macadminrohit
Contributor
‎02-07-2018 02:30 PM

And good thing is that there is a field in these events which is macaddress and we want to capture these events for the same macaddress. So i am thinking we could do this using transaction command.

0 Karma
Reply

macadminrohit
Contributor
‎02-07-2018 02:07 PM

So basically these are JSON events which are automatically parsed by splunk into fields. And i need to search for the strings in bdy.msg field and find the number of such occurrences by another field (bdy.mac)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...