I have a device that sends its logs in multiple lines. It's an authentication device, and for one authentication, it sends about 10 logs, all containing a field that is like a session reference.
I would like to create a graph with the failed authentications that are present on the logs, but to do so, I have to correlate 2 log lines (the one containing the username, and the other one containing the message "Sent failure response".
The 2 fields are CN for the username and response_type for the message that is returned by the device.
The one field that is present on both logs is an otp code simply named otp.
I have tried different approaches but every time, I get more information that I need on my final table or not as much as I want on a pie chart.
Can anyone tell me how to correlate 2 fields across the same index on 2 different logs with one field in common, please?
Thank you in advance
Hi, this is definitely possible but you need to share sample of your splunk events and your desired output
Without actually seeing the logs, you could most likely use the transaction command. Try something like the following:
index=some_index sourcetype=some_sourcetype | transaction otp | table otp CN response_type
Thank you for the reply. I have tried the transaction command but unfortunately, it didn't return any result...
I had seen this before, but when I try it, it's like no log is matching my request.
My request was
index=index (field1="value1" OR field1="value2") | transaction openotp | table openotp CN response_type
And then Splunk says No result found
Any idea? Does this command needs 2 different index to work?
I would first run the base search (before the first pipe), to see if you get results. Then, verify the fieldname (case sensitive). Add the transaction in once you verify the fieldname. It is always a good troubleshooting practice to start at the base search then slowly build until it breaks. Once it breaks, you should be able to identify the problem more easily.