Hi,
We are new to splunk, so we are facing some difficulty to understand how to implement a kind of “poor man“ root cause analysis, or more precisely, root cause hint.
There is this index we created where we defined some standard fields. Among other, the “ci” (configuration item) field represents an asset in the ITIL sense. To avoid confusion with other “events” definitions, we defined an “occurrence” field. An occurrence is a important event that happened on a ci. We have the ci dependency tree, and for each ci we can derive its providers set, the set of ci that directly or indirectly supports the ci, and this information is stored on a kv store, so it is easy to lookup the provider set for any ci.
What we are trying to do is, for a new index occurrence “O”, using ci dependency information, find if there are some previous occurrences that could explain/cause the occurrence “O” and whose ci is on the provider set.
One idea was to lookup the ci dependency to create a dependencies multivalue field, use mvexpand on this field and then use map to search the previous occurrences, comparing this field with the ci field of the previous occurrences.
In essence, we need to correlate a new occurrence “O” with previous occurrences if their ci is a provider of the “O” ci.
Thanks for any tip.
