Splunk Search

How to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER?

dmuley
Explorer

2022-06-12 21:51:42.274 threadId=L4C9D6WIYK2K eventType="RESPONSE" data="<TestRQ>sometestdata</TestRQ>"
2022-06-12 21:51:41.274 threadId=L4C9D6WIYK2K eventType="REQUEST" data="<TestRQ>sometestdata</TestRQ>"
2022-06-12 21:51:40.274 threadId=L4C9D6WIYK2K eventType="HEADER" data="clientIP=101.121.22.11"

Hello Team,

I have the series of events as shown above and if you see one of the event having eventType="HEADER" I have clientIP in data field .

I need to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER. Common UNIQUEID between all 3 events is threadID , How can I achieve this in splunk query ?

new to splunk i am just good in basic searches.

index= test eventType="HEADER"  clientIP=101.121.22.11------>>  and pass on the threadID to fetch the eventType="REQUEST" eventType="RESPONSE"

 

@ITWhisperer 

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The most obvious thing would be to use transaction to group the events by threadId.

But that would mean "squishing" togethet the eventType and data values so you'd have to do some clever joining/separating fields. Feasible but not very pretty.

You could do the same but firstly rename fields conditionally so that you end up with properly uniquely named fields per threadId. Then you could either do the transaction command or stats values (stats is usually a better approach) by threadId.

You can also use xyseries to "unpack" the separate fields into a table.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sub queries (called "subsearch") are supported in Splunk and are specified by putting the SPL inside square brackets.  The subsearch runs first and its results are then appended to the text of the main search.

 

index=test eventType IN ("REQUEST" "RESPONSE") [ index=test eventType="HEADER" clientIP=101.121.22.11 | fields threadId | format ]

 

The fields command makes sure only the needed field is returned while format puts the results into (threadId=foo OR threadId=bar) form.

---
If this reply helps you, Karma would be appreciated.
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@dmuley - You can use a search like this:

<Your query to fetch all the events> (index=test)
| eval {eventType}=data
| stats values(Header) as HEADER, values(REQUEST) as REQUEST, values(RESPONSE) as RESPONSE by threadId
| search HEADER="*101.121.22.11*"

(I'm assuming that threatId is what is unique between these 3 events.)

 

I hope this helps!!!

0 Karma

dmuley
Explorer

@VatsalJagani thanks you it works till stats but search command (lastline) is not giving any output unfortunately even though data is present.

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...