Splunk Search

extracted field propagation across related events

twistedsixty4
Path Finder

Hey all,
I have a event log that i have to generate reports off of for the BI team where i work. the problem i keep running into is that the different event types log different set of information all tied to a unique event_id, but i need to have one field of a specific event type tied to all the other events with the same id.

example:
time event_id Node user status event_type
18534564.56 05178 HIL-DEV01 not_reporting alert
18640234.9 05179 ROV-HOST01 disk_space_low alert
19538754.13 05178 Hal9001 closed

in this example i want to assign node HIL-DEV01 across all events with the ID of 05178. I have tried to do this with transactions, but i have found that i lose unique time values for events inside the transaction.

is it possible to do this with eval? or does anyone have an idea of what to do? if you need more info just let me know.

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search | eventstats first(Node) as Node by event_id 

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search | eventstats first(Node) as Node by event_id 

twistedsixty4
Path Finder

you are a godsend sir, this worked great!

strive
Influencer

Try this and see if this is hat you need

Some Search Terms | stats values(time) as Timers first(Node) as Node values(status) as Statuses values(event_type) as Events by event_id

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...