Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Skeltalog and iis log mapping

vaibhavbeohar
Path Finder
‎05-17-2012 01:49 AM

How can do mapping between two different source type say for exp. mapping between skelta log and iis log

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎05-19-2012 02:17 PM

In order to correlate events between two different sourcetypes, you need to identify the common fields.
Here is an example:

The events of sourcetype myMiddleware have two fields (in addition to a timestamp, host, source and sourcetype)

username

userip

The events of sourcetype myDBMS have three fields (in addition to a timestamp, host, source and sourcetype)

transId

userId

statusCode

Let's say that you want to report the number of transactions (based on transId) for each ip address. In this example, the username and userId fields are really the same thing, they are just named differently in the different sourcetypes. The following search will address these problems:

sourcetype=myMiddleware OR sourcetype=myDBMS |
rename userId as username |
transaction username transId |
stats distinct_count(transId) As TransactionCount by userip

I suggest that you play around with this and look at the Search Reference manual for more options and examples of these commands.

0 Karma
Reply

vaibhavbeohar
Path Finder
‎05-18-2012 02:59 AM

Exactly correlation between two sourcetype

0 Karma
Reply

lguinn2
Legend
‎05-17-2012 02:50 PM

Yes, what do you mean by "mapping"? Are you trying to correlate events between these two sourcetypes?

0 Karma
Reply

Ayn
Legend
‎05-17-2012 01:56 AM

More details, please.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...