Re: Multiple Events - Looking for Matching Data

jon0149 · ‎08-14-2019

I would like to show a count for every time I get a "burst" of similar events.
This would be defined as more than one event having the same data in one field across them:

So :
- Event 001 would have a "subject" field with text always in the same format subject = "Report: <EventName>"
- Event 002 would have the same setup but with either the same or a different <EventName>.

I would like to be able to view all the events where there is another event with the same <EventName> and also display the results in a Dashboard. Thereby analyzing trends between similar events.

Does anyone know how I might achieve this?

Thanks

Sukisen1981 · ‎08-14-2019

Hi @jon0149 - You do need to provide a sample of your events and what you need in more clear statements, if you expect a more detailed answer.
That being said,you best bet is to
1- extract events using regex based on the eventname
2- do a stats , values, list , table of the events
3- Save as a panel in a dashboard
4- You might have a text input dropdown in your dashboard which would be the eventnames , selcting one would show you the events with timestaoms for that particular eventname across the range of your search

Multiple Events - Looking for Matching Data

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Multiple Events - Looking for Matching Data

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers