Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Melding continuation events while cherrypicking da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I've tried to search here and through search engines with no luck. I can't seem to get the knack for referencing which event's information I want to pick from.
I'm trying to join together information from two different events, in the same sourcetype, but picking the relevant information from each of the two raw events into a singular more meaningful event.
An example:
Event 1:
45 1 191 2020-07-20 20:55:26.540 1 873 23 NULL NULL cn13mhy SSS_ABC123_DB NULL NULL
; ; ; ; , 8.8.8.8, network password sybase encryption; ; cn13mhy/ase;
Event 2:
1 0 191 2020-07-20 20:55:26.543 1 873 NULL NULL NULL cn13mhy sybsystemprocs NULL NULL
CLIENTAPPINFO;app_name=PPP host_pid=17544 NULL
The first numeric is the event number. 45 is the Sybase ASE login event. 1 is an application/vendor generated event lower into the application. Each event, 45 and 1, has useful information. Event=45, which will always generate with the older timestamp, has IP information within the extrainfo field. Event=1 has the application name and the host PID in the extrainfo field.
I'm looking to merge those two events, with slightly dissimilar timestamps, into a single event where I can display 45's timestamp, 45's database name (SSS_ABC123_DB), the userid (ch13mhy in both), 1's app_name, and 1's host_pid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's easy if you have a common field in both events. For e.g looking at both events, you have the fields with values 191, 873, ch13mhy in common. You may use one of them to stitch the events together.
For e.g assuming the userid field is the common factor between these two
Try
"your base search"|stats max(eval(if(event_number==45,_time,null()))) as _time, values(database_name) as database_name, values(apps_name_ as apps_name, values(host_pid) as host_pid by userid
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's easy if you have a common field in both events. For e.g looking at both events, you have the fields with values 191, 873, ch13mhy in common. You may use one of them to stitch the events together.
For e.g assuming the userid field is the common factor between these two
Try
"your base search"|stats max(eval(if(event_number==45,_time,null()))) as _time, values(database_name) as database_name, values(apps_name_ as apps_name, values(host_pid) as host_pid by userid
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! This gets me about 95% there.
I was too wrapped up in bucket and transaction statements.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it worked. Appreciate an upvote (karma) and you may close the question by accepting as a solution 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Wrapping Up Cybersecurity Awareness Month
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
What's New in Splunk Observability - October 2025
