extract fields from multiple events.

valivarthiramu · ‎05-09-2020

Below are my events.
Event1:contains Messages Id and Status
Event2: contains Messages Id and Origin
Event3: contains Messages Id Event Type and number of events in single messages
Event4: contains Messages Id Before event
Event5: contains Messages Id and Number of events from mq.

My requirement is write query on below mentioned splunk events to display number of events from a single message(Event3) and Event Type(Event3) and number of Before events(Event 4) and number of events from mq(Event5) and Origin of Message(Event2) and status of Message(Event1)

Can some one help me on best way to write query.

Event1:
314 <14>1 2020-05-08T06:32:27.152225+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-4] BankListener:299 - Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6 , status: CONFIRMED

Event2:
373 <14>1 2020-05-08T06:32:27.144325+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO  cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-4] MonetaryListener:294 - dvCID: aee7de40-90f5-11ea-a289-65afed7166d5, Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6 Origin: MQ.DEV.BANK

Event3:
495 <14>1 2020-05-08T06:32:26.93318+00:00 5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO  cf_ip=10.19.148.194 cf_inst=0 d_type=mon [Kafkapublish-2] Kafkapublish$KafkapublishCommand:164 - Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6, EventType: SAVINGS, dvCID: aee7de40-90f5-11ea-a289-65afed7166d5, Num Events: 1, JMS TS: Fri May 08 02:32:26 EDT 2020, DOM TS: Fri May 08 02:32:26 EDT 2020, Kafka TS: Fri May 08 02:32:26 EDT 2020

Event4:
326 <14>1 2020-05-08T06:32:26.92776+00:00  5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO  cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-container-4] BankListener:439 - Before event, Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6 / Bank: 123

313 <14>1 2020-05-08T06:32:26.405266+00:00  5f6af747-fc9d-45a2-9a06-e79e57d32b10 [APP/PROC/WEB/0] - - INFO  cf_ip=10.19.148.194 cf_inst=0 d_type=mon [bank-container-container-4] BankListener:408 - Message id: ID:c3e2d840c3d9c4c14040404040404040d7e2d71e0157ccd6, events from mq: 2

richgalloway · ‎05-09-2020

This may help.

index=foo
| rex "Message id: ID:(?<MessageID>\w+)"
| eval msgType = case(searchmatch("status:"),"Status", searchmatch("Origin:"), "Origin", searchmatch("Before event"), "Before event", searchmatch("events from mq:"), "Events from MQ", 1==1, "Single message")
| stats count by msgType, MessageID

---
If this reply helps you, Karma would be appreciated.

extract fields from multiple events.

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI