Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to associate and create fields between 2 JSON events?

jeanmatthieu
Explorer
‎10-01-2015 03:16 PM

Hey Everyone,

I'm trying to extract fields from an event using a somewhat similar foreign key concept/mechanism.
For the two events as below:

Event#1

{
   colour=blue,
   metadata_id=1234-56,
   record_type=car
}

Event#2

 {
       material=plastic,
       country_of_origin=germany
       metadata_id=1234-56,
       record_type=metadata
    }

I would like to be able to add to Event#1 the material and country_of_origin fields so I can easily search for all blue cars made in Germany as such:

index=cars country_of_origin=germany colour=blue record_type=car

Could you kindly suggest how I could build fields using metadata_id as a foreign key in Event#1 that extracts the necessary info from Event #2 ?

Thank you!
Jean-Matthieu

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-01-2015 03:58 PM

Since they are in same index/sourcetype but present in different event, you will not be able to do filters, like you need, directly. You would need to do some processing (correlation) before the filter. Something like this

index=cars | table colr, metadata_id, record_type, material, country_of_origin | stats values(*) as * by metadata_id | search country_of_origin=germany colour=blue record_type=car

For long term, you can assign different sourcetype from same data source, based on regular expression. See this
http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Advancedsourcetypeoverrides

Once you've the color (any attribute which appears less number of time) on different sourcetype, Then you may have different options, like you can create a lookup table and use that as filter, OR use the 2nd sourcetype as subsearch filter etc.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-01-2015 03:58 PM

Since they are in same index/sourcetype but present in different event, you will not be able to do filters, like you need, directly. You would need to do some processing (correlation) before the filter. Something like this

index=cars | table colr, metadata_id, record_type, material, country_of_origin | stats values(*) as * by metadata_id | search country_of_origin=germany colour=blue record_type=car

For long term, you can assign different sourcetype from same data source, based on regular expression. See this
http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Advancedsourcetypeoverrides

Once you've the color (any attribute which appears less number of time) on different sourcetype, Then you may have different options, like you can create a lookup table and use that as filter, OR use the 2nd sourcetype as subsearch filter etc.

Reply
Solved! Jump to solution

jeanmatthieu
Explorer
‎10-05-2015 05:04 PM

@somesoni2, you're awesome Sir!

I did exactly what you said: source type override with transforms/props and filtering with sub search + using join to aggregate fields and my queries are flying.

Thanks again!

0 Karma
Reply
Solved! Jump to solution

jeanmatthieu
Explorer
‎10-01-2015 04:24 PM

Thank you for pointing me to the advanced source type override.
I should probably implement that first as follow
In transforms.conf:

[my_car_metadata]
REGEX = *.record_type=metadata.*
FORMAT = sourcetype::car_metadata
DEST_KEY = MetaData:Sourcetype

In props.conf:

[original_sourcetype]
TRANSFORMS-car_metatdata_sourcetype = my_car_metadata

Of your two suggestions (creating and using lookup table as a filter and sub search) I would not know which one is the most efficient. Would you be able to illustrate one technique please ? I have seen the ease of CSV lookups before and was hoping for a similar solution with JSON based events.

On a side note, naming convention in props.conf looks like a strategy of its own !

Thank again for your prompt help!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-01-2015 03:22 PM

Both events appears on the same index/sourcetype??

0 Karma
Reply
Solved! Jump to solution

jeanmatthieu
Explorer
‎10-01-2015 03:31 PM

They do indeed -- it would be difficult to post to a different source type as events are received through a tcp port on a heavy forwarder and safely brought to our backend afterwards. Thanks !

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top