Splunk Search

How to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER?

dmuley
Explorer

2022-06-12 21:51:42.274 threadId=L4C9D6WIYK2K eventType="RESPONSE" data="<TestRQ>sometestdata</TestRQ>"
2022-06-12 21:51:41.274 threadId=L4C9D6WIYK2K eventType="REQUEST" data="<TestRQ>sometestdata</TestRQ>"
2022-06-12 21:51:40.274 threadId=L4C9D6WIYK2K eventType="HEADER" data="clientIP=101.121.22.11"

Hello Team,

I have the series of events as shown above and if you see one of the event having eventType="HEADER" I have clientIP in data field .

I need to fetch REQUEST and RESPONSE events based on clientIP mentioned in third event of HEADER. Common UNIQUEID between all 3 events is threadID , How can I achieve this in splunk query ?

new to splunk i am just good in basic searches.

index= test eventType="HEADER"  clientIP=101.121.22.11------>>  and pass on the threadID to fetch the eventType="REQUEST" eventType="RESPONSE"

 

@ITWhisperer 

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The most obvious thing would be to use transaction to group the events by threadId.

But that would mean "squishing" togethet the eventType and data values so you'd have to do some clever joining/separating fields. Feasible but not very pretty.

You could do the same but firstly rename fields conditionally so that you end up with properly uniquely named fields per threadId. Then you could either do the transaction command or stats values (stats is usually a better approach) by threadId.

You can also use xyseries to "unpack" the separate fields into a table.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sub queries (called "subsearch") are supported in Splunk and are specified by putting the SPL inside square brackets.  The subsearch runs first and its results are then appended to the text of the main search.

 

index=test eventType IN ("REQUEST" "RESPONSE") [ index=test eventType="HEADER" clientIP=101.121.22.11 | fields threadId | format ]

 

The fields command makes sure only the needed field is returned while format puts the results into (threadId=foo OR threadId=bar) form.

---
If this reply helps you, Karma would be appreciated.
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@dmuley - You can use a search like this:

<Your query to fetch all the events> (index=test)
| eval {eventType}=data
| stats values(Header) as HEADER, values(REQUEST) as REQUEST, values(RESPONSE) as RESPONSE by threadId
| search HEADER="*101.121.22.11*"

(I'm assuming that threatId is what is unique between these 3 events.)

 

I hope this helps!!!

0 Karma

dmuley
Explorer

@VatsalJagani thanks you it works till stats but search command (lastline) is not giving any output unfortunately even though data is present.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...