Splunk Search

Correlating events across multiple sources and multiple keys

rjlohan
Explorer

Hi,

I'm after some advice on the best way to create a search for the following scenario.

I have 3 data sources, A,B,C where there is a common field between A<-->B and a different common field between B<-->C

What I want to find, is how many events occur in A and C. I can see that I can create a transaction across A&B or B&C, but I'm unsure how to correlate across these sources when the common information changes.

Any tips would be great!

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Lets call one field the ab and the other bc.

This is sort of ambiguous:

how many events occur in A and C

Are you looking for events that started in A and went through to B to C ? The count of events that have a relationship via B, from A<-->C ?

Have you considered using a field alias in B so that the same field can be used from A<-->C , that is, ab also equals ac ?

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

The reason I'm asking for your clarification on this is because, if you're really only looking for counts, there is absolutely no reason to use the transaction command

0 Karma

vinitatsky
Communicator

You are right. Transaction is very powerful command but there is a limitation of it - its not advisable to use in clustered environment and it takes lot of resources too.

Another alternative is to use - subsearch.

sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B | table ]

For e.g.
Sourcetype A and Sourcetype B - common field is ipaddress
Sourcetype B and Sourcetype C - common field is username

sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B ipaddress=* ipaddress | table username]

1) First search for information in sourcetype A and B using common field between A and B and identify the field which is common between B and C (i.e. table username)
2) Pass results from inner query to outer query.

Hope this helps.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

So assuming your data looks like this:

event_1A sessionID=someValue
event_1B sessionID=someValue jqueryResponse=someValue
event_1C jqueryResponse=someValue

Then you can do a double transaction (NOTE: I'm doing this off the top of my head so yeah it could not work right - you may need to finagle.)

<your_search_for_events> | transaction sessionID keeporphans=true | transaction jqueryResponse | <do_other_things>

There may be a more streamlined search, but this one comes to mind.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Couldn't you just do transaction sessionID jqueryResponse instead of two transactions?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...