Splunk Search

How to correlate two fields across the same index on two different logs with one field in common?

mclesse
New Member

Hello,

I have a device that sends its logs in multiple lines. It's an authentication device, and for one authentication, it sends about 10 logs, all containing a field that is like a session reference.
I would like to create a graph with the failed authentications that are present on the logs, but to do so, I have to correlate 2 log lines (the one containing the username, and the other one containing the message "Sent failure response".
The 2 fields are CN for the username and response_type for the message that is returned by the device.

The one field that is present on both logs is an otp code simply named otp.

I have tried different approaches but every time, I get more information that I need on my final table or not as much as I want on a pie chart.

Can anyone tell me how to correlate 2 fields across the same index on 2 different logs with one field in common, please?

Thank you in advance

Mael

0 Karma

mclesse
New Member

Hello,

Thank you for the reply. I have tried the transaction command but unfortunately, it didn't return any result...
I had seen this before, but when I try it, it's like no log is matching my request.

My request was

index=index (field1="value1" OR field1="value2") | transaction openotp | table openotp CN response_type

And then Splunk says No result found

Any idea? Does this command needs 2 different index to work?

Thank you

Regards,

Maël

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

I would first run the base search (before the first pipe), to see if you get results. Then, verify the fieldname (case sensitive). Add the transaction in once you verify the fieldname. It is always a good troubleshooting practice to start at the base search then slowly build until it breaks. Once it breaks, you should be able to identify the problem more easily.

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Without actually seeing the logs, you could most likely use the transaction command. Try something like the following:

index=some_index sourcetype=some_sourcetype | transaction otp | table otp CN response_type
0 Karma

Sukisen1981
Champion

Hi, this is definitely possible but you need to share sample of your splunk events and your desired output

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...