Splunk Search

How to make a field cover multiple events

tbrown
Path Finder

I have a transaction of events. In the first event of the transaction, it contains an event that I am using

| rex field=_raw .....

to extract a two fields from: Rising_Server and Falling_Server. If I specify the time period to only include those events within the transaction and nothing else, how can I apply the RIsing_Host and Falling_Host fields to the other events. 
More specifically, in the first event, it contains the values for those two fields. None of the other events contain those fields. However, I want to compare the hosts of the other events (that don't contain the fields) and see if they are the same as the Rising_Host and Falling_Host. I want to do this because I want to filter out any events that aren't coming from those two hosts.

I've tried adding a 

| where (host=Rising_Host OR host=Falling_Host)

into the search, but that of course only shows the first event with those fields. Any suggestions on how to compare that field value to events without the field?

Labels (4)
Tags (2)
0 Karma
1 Solution

bowesmana
Champion

If the events are coming in sequence of the rising/falling host and the 'first' event with new values will apply to all subsequent rows until a new 'first' row is seen, then use 'filldown'

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Filldown

If not, is there a way to correlate all events that relate to the rising/falling host fields against the events that do not contain the values? If so, then you can always sort by that field then use filldown, or aggregate the rows by that field with something like

| stats values(Rising_Host) as Rising_Host values(Falling_Host) as Falling_Host by common_field

Note that if you do not want to aggregate the rows, then use eventstats rather than stats

Hope this helps

 

View solution in original post

bowesmana
Champion

If the events are coming in sequence of the rising/falling host and the 'first' event with new values will apply to all subsequent rows until a new 'first' row is seen, then use 'filldown'

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Filldown

If not, is there a way to correlate all events that relate to the rising/falling host fields against the events that do not contain the values? If so, then you can always sort by that field then use filldown, or aggregate the rows by that field with something like

| stats values(Rising_Host) as Rising_Host values(Falling_Host) as Falling_Host by common_field

Note that if you do not want to aggregate the rows, then use eventstats rather than stats

Hope this helps

 

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!