Splunk Search

How to correlate two searches that don't share a common field?

Path Finder

So I am trying to correlate two searches with one another. Unfortunately, I don't have any common fields between the two searches, but I can derive the host field and eval to store it... Here is the search so far:

index=an_index sourcetype=a_sourcetype level=ERROR | rex field=_raw "Application (?<app_sys_name>.*) environments .* timed out waiting to reach a status in .* and health .*"
| append [search index=a_differnet_index sourcetype=a_different_index "/health" | rex field=_raw "HTTP/1.1\" (?<code>\d\d\d) \d+"]
| eval hst=app_sys_name + "-" + deploy_version
| streamstats current=f window=1 last(hst) as hst

So, I get a bunch of results and I want a way to filter out the hosts where host != hst*. The only event that generates a hst field, however, is the single result from the outer search.... I need to use the hst field in the appended results... I thought streamstats would work at the end by copying the field from the last event to the current event, but it didn't....

Can anyone help me?

0 Karma


I think your problem lies in the interpretation of how last() works, and in particular how it works in streamstats.

You have to think of streamstats working through the result rows, row by row starting from the first row to the last row. first(foo) will tell it to grab the first value it sees for that field and never get another value. last(foo) will likewise tell it to use the last value it has seen as it has been going through.

However, streamstats never goes backwards. So it cannot in principle modify an earlier row using data that it has seen in a later row.

So, I think if you're intending to get a set of rows from the first search, tack on another set of rows with append, construct a "hst" field basically only on that second set of rows, and then copy out that hst field onto all the earlier rows, well you may want eventstats instead of streamstats.

eventstats is similar, except it makes a pass through all of the rows, calculates one overall value for last(foo) and first(bar) and avg(baz), and then uses those values on all rows.

Note that both eventstats and streamstats take a "by someField" clause which can be extremely powerful. File that away for a rainy day.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...