Splunk Search

How to find/tie earlier event field value to event that occurs later?

bab4684
New Member

Here are the Fields & possible values.

  1. pc_id {1234,5678,9012, etc.....}
  2. pc_connection {lan, wifi, mobile}
  3. pc_error {other, 9999, 7777, bluescreen}

Issue: When a (pc_error) event happens it doesn't report (pc_connection) which is reported in earlier event. (pc_id) reports all (3) fields.

search index=main (pc_id=* OR pc_connection=* OR pc_error="bluescreen")
| stats count eval(pc_error="bluescreen")) AS BlueScreened by pc_connection

Tried streamstats & filldown but no luck.
What is the best method to have (pc_error) stats with (pc_connection)?

Thanks in advance.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Assumptions:

1) There are connection events with pc_id and pc_connection.

2) There are error events with pc_id and pc_error.

3) You want all events where the pc_error value is "bluescreen" linked to the last known pc_connection for that pc_id. Then you want the results to be counted up, by pc_connection.

Try this...

index=main pc_id=* (pc_connection=* OR pc_error="bluescreen")
| rename COMMENT as "That should be all the events.  Limit them to the fields we need, plus _time" 
| fields pc_id pc_error pc_connection

| rename COMMENT as "Kill any mutant events that got through eith a pc_connection and a different pc_error" 
| where pc_error="bluescreen" OR isnull(pc_error)

| rename COMMENT as "Sort and then copy pc_connection values forward across time, then kill pc_connection records" 
| sort 0 pc_id _time
| streamstats last(pc_connection) as pc_connection by pc_id
| where isnotnull(pc_error)

| rename COMMENT as "Now we have only error records.  Stats them up." 
| stats count as BlueScreened values(pc_id) as pc_id by pc_connection

added pc_id to the results.

0 Karma

sbbadri
Motivator

try this,

index=main pc_id=* OR pc_connection=* OR pc_error=bluescreen | stats count(pc_error) as bluescreened by pc_connection pc_id

0 Karma

bab4684
New Member

This resulted in all bluescreened values to = 0.

Table appeared as
pc_connection | Pc_id | bluescreened
lan | 1234 | 0

All (3) events fields do show values and the result should be 46 for bluescreened.
What else can I try?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...