Splunk Search

How to connect consumers and providers based on ID between logs and display their server names too?

ana
Engager

I am hoping you could help me out with this query, as I am quite stuck.

I want to be able to retrieve the name of the server that acts as a provider and the name of the server that acts as a consumer.  The way you could check this is a log has a ConsumerId that equals the ID of the other server. For instance, here are two logs:

ServerName="Server1", ID="1", IDConsumer=null

ServerName="Server2", ID="2" , IDConsumer="1"

 And what I want to retrieve is a table like this:

To              From         IDConsumer   IDProvider

Server1  Server2    1                          2

 

Appreciate a lot!

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval To=if(isnull(IDConsumer),ServerName,null())
| eval From=if(isnull(IDConsumer),null(),ServerName)
| eval Consumes=if(isnull(IDConsumer),ID,IDConsumer)
| eval IDProvider=if(isnull(IDConsumer),null(),ID)
| stats values(To) as To values(From) as From values(IDConsumer) as IDConsumer values(IDProvider) as IDProvider by Consumes

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval To=if(isnull(IDConsumer),ServerName,null())
| eval From=if(isnull(IDConsumer),null(),ServerName)
| eval Consumes=if(isnull(IDConsumer),ID,IDConsumer)
| eval IDProvider=if(isnull(IDConsumer),null(),ID)
| stats values(To) as To values(From) as From values(IDConsumer) as IDConsumer values(IDProvider) as IDProvider by Consumes
0 Karma

ana
Engager

Thank you!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...