Splunk Search

Using subsearch or transaction to correlate events from different sources?


I have a set of events coming from a source that tell me if a user came from a certain page "Source". From this set of events I can retrieve the request ID. From another set, I can retrieve information about a user visiting a certain page "Destination" together with the request ID.
I would like to create a report on the total number users per cluster and visiting "Destination" and the number of users per cluster visiting "Destination" and coming from "Source". How can I achieve that?
Here is the query to get the first set of events:

index=* logtype="SAT" (method="GET" OR method="POST") uri_path="myuri.do" referer="Source" | dedup rc | eval rc=rc+":0" | stats values(rc)

Here is the query to get the second set of events:

index=* logtype="EL" | rex field=rec.msg ".*?STRING: (?<trdate>\d{2}\.\d{2}\.\d{4} \d{2}:\d{2}:\d{2}) \w* (?<actiontype>\d*) (?<userid>\w*) (?<cluster>\w*) (?<action>.*?)\]\]>" | search actiontype="Destination" | stats values(rec.reqid) by userid cluster

Thank you very much for your help.

0 Karma


Yes, that's it. That's exactly what I am trying to do.
I think that subsearches might exhaust my buffer. I would prefer avoiding them.


0 Karma


Just to clarify what you're asking for: You want a count of all hits to 'Destination' and a count of all hits to 'Destination' that came from 'Source'. Is that right?

0 Karma


index=* logtype="EL" [search index=* logtype="SAT" (method="GET" OR method="POST") uri_path="myuri.do" referer="Source" | dedup rc | eval rc=rc+":0" | stats count by rc | fields rc | rename rc AS rec.reqid ] | rex field=rec.msg ".*?STRING: (?<trdate>\d{2}\.\d{2}\.\d{4} \d{2}:\d{2}:\d{2}) \w* (?<actiontype>\d*) (?<userid>\w*) (?<cluster>\w*) (?<action>.*?)\]\]>" | search actiontype="Destination" | stats values(rec.reqid) by userid cluster

Subsearch for the request ids you need, and then do the main search for the rest of the values.

0 Karma


Try using the Job Inspector and see which portion of the search will not match and why.

0 Karma


I get the message "The specified search will not match any events".

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...