Getting Data In

Correlate data from two sources

mookiie2005
Communicator

We have two separate logs for errors from different programs. I am currently running two separate searches:
source="*bsf0003.stdout" "error"
sample of data:
[12/04/13 14:13:37:150] MessageReference=XXXXXXXXXXXXXXXX SystemName=CS DistributionChannel=CS QuoteNumber=XXXXXXXX CallingProgram=psfsave Desc="Error Code: 0110, Error Desc: Quote is Locked Out"

source="/u3/logs/QTE_SVCS2_SYNCQTE_PROD/QTE_SVCS2_SYNCQTE/syncqtesvc.log" "transactionstatus=e" MessageCode="" QuoteNumber="" NOT MessageCode="301"
sample data:
2013-12-04 14:22:35,400 [WebSphere_EJB_Timer_Service_WorkManager.Alarm Pool : 0] INFO CLASS=SyncQuoteService, MessageReference=EC00A6F3-E700-72E2-E044-0017A477, SystemName=DRC, Operation=SyncQuoteServiceBatch, QuoteNumber=XXXXXXXX, QuoteEffectiveDate=XXXXXXXXX, QuoteCreationDate=XXXXXXXX, BindIndicator=N, ProcessIndicator=E, TransactionStatus=E, MessageCode=E900, FunctionName=FULLPROCESS, ElapseTime=1306

I need to identify Quote numbers that have errors on BOTH sources, how should I go about doing that?

0 Karma

aholzer
Motivator

I missed the last line in your question. The answer @somesoni2 provided is much better suited to solve your problem.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try following

source="*bsf0003.stdout" "error" | stats count by QuoteNumber | fields - count | join QuoteNumber [search source="/u3/logs/QTE_SVCS2_SYNCQTE_PROD/QTE_SVCS2_SYNCQTE/syncqtesvc.log"  "transactionstatus=e" MessageCode=""  QuoteNumber="" NOT MessageCode="301" | stats count by QuotaNumber | fields - count ]

Above will give list of QuotaNumber present in both the queries. Stats are used to get unique values for QuotaNumber from both the search (which is faster than using dedup).

0 Karma

aholzer
Motivator

Assuming your correlationId is QuoteNumber you can do this:

(source="*bsf0003.stdout" "error") OR (source="/u3/logs/QTE_SVCS2_SYNCQTE_PROD/QTE_SVCS2_SYNCQTE/syncqtesvc.log" "transactionstatus=e" MessageCode="" QuoteNumber="" NOT MessageCode="301") | transaction QuoteNumber

This will group all events from both sources with the same QuoteNumber together into transactions. I should note that transactions are intense operations. Try reading up on transactions and look at ways of limiting the time they are open. Use parameters like maxpause, maxspan, and startswith/endswith.

Hope this helps

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...