- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Frequency correlation between different sourcetype...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Frequency correlation between different sourcetypes
I have two sourcetypes, one containing alerts from users that we have a problem, and another one with server logs. In a first stage, I would like to correlate the number of exceptions and the number of alerts received. I'm struggling with how to implement this, however. I tried starting from (sourcetype="Alerts") OR (sourcetype="ExceptionLog" level="Warning" OR level="Error") | bin _time span=3h. So, I would like to get the number of alerts in a bucket, and associate it with the number of exceptions in the same bucket, but how? I read http://blogs.splunk.com/2012/10/01/simple-correlation-in-splunk, but didn't seem to work for my case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jtrucks: The first idea is to explore if there is a correlation between user alerts and exceptions we log. I'd like to do a scatter plot of this over time, which should hopefully make this somewhat clear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
(sourcetype="Alerts") OR (sourcetype="ExceptionLog" level="Warning" OR level="Error")
| bucket _time span=1d
| stats count(eval(sourcetype="Alerts")) as Alerts count(eval(sourcetype="ExceptionLog")) as Exceptions by host _time
As @jtrucks pointed out, you didn't give any criteria for correlating the two sets of events, so I did it by host and day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aww, raspberry to me! I will fix the answer - thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah. Changing it to count(eval(sourcetype="Alerts")) makes it work. As is clearly written in the docs. Whoops.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting, that is precisely what I tried. What happens is that I get no results from count(sourcetype="AnySource"). I even tried sourcetype!="Alerts"), and I still get a count of zero. Removing the stats command, or removing the sourcetype, works as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your end goal? Are you trying to compare counts, or are you trying to correlate each Alerts event with an ExceptionLog event? Why are you putting it into a bucket specifically rather than simply working with search results? (Not that using a bucket is bad, but I am just looking for your thought process and reasoning so we can help you more.)
Jesse Trucks
Minister of Magic
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
