Splunk Search

Event Correlation

ninadmnaik
Explorer

I have two events:

Event 1:
transactionId=123 field_x=x_value

Event 2
transactionId=123 status=success

How can I correlate these two?
I want to create a timechart for “field_x” when “status=success”

So, basically, the search quey is:
transactionId field_x | timechart count by field_x

But I want to get all “field_x” only when status=success.

So, I guess this is equivalent to SQL IN() construct:
SELECT field_x from table where transactionId IN (SELECT transactionId from table where status=success);

I am trying to do a subsearch like:
source="source1" field_x=* transactionId [search source="source1" AND status=success | fields transactionId] | timechart count by field_x

Doesn't seem to be working.

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

Try this:

yoursearchhere | 
transaction transactionId | 
search status=success | 
timechart count by field_x

I think you were making it too hard! 🙂

View solution in original post

lguinn2
Legend

Try this:

yoursearchhere | 
transaction transactionId | 
search status=success | 
timechart count by field_x

I think you were making it too hard! 🙂

ninadmnaik
Explorer

Oh yeah, you're right. That did it. Thanks a bunch !!

0 Karma

lguinn2
Legend

The transaction consists of a set of events, all with the same transactionId. The search command applies to the entire transaction, not the individual events. So the AND should be okay.

0 Karma

lguinn2
Legend

What do you get when you just do

source="source1" field_x=* OR status=success |
transaction transactionId

0 Karma

ninadmnaik
Explorer

As per your new suggestion, that won't work, because:
search status=success AND field_x="*"

For the above to work, both the fields should be in the same logging event right? But they aren't.
I have two different logging events as:

Event 1:
transactionId=123 field_x=x_value

Event 2
transactionId=123 status=success

0 Karma

ninadmnaik
Explorer

No, I take it back. When I said it was working, I missed the following line (bold) in the query:

source="source1" field_x=* OR status=success |
transaction transactionId |
search status=success |
timechart count by field_x

If I add this line "search status=success", I don't get any results. And without checking whether "status=success" I will get all "field_x" values for which "status=failed" as well.

0 Karma

lguinn2
Legend

I think that you have some transactions that do not have field_x in them. Try this

source="source1" field_x=* OR status=success |
transaction transactionId |
search status=success AND field_x="*" |
timechart count by field_x

0 Karma

ninadmnaik
Explorer

No, you are right. Updated my query to:

source="source1" field_x=* OR status=success |
transaction transactionId |
search status=success |
timechart count by field_x

Now it's giving me the chart.

However, one little thing. Along with the four values of "field_x" it's also showing a value "NULL". Wonder why is that.

Will update this when I find out about NULL.

Please let me know if you have an idea.

Thanks a bunch for your answer.

0 Karma

ninadmnaik
Explorer

Oh yes, that does make sense. But this isn't working either. Splunk isn't finding any matching events.

Here's the updated query as per your suggestion.

source="source1" field_x=* |
transaction transactionId |
search status=success |
timechart count by field_x

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...