Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Event correlation question

pjmenon
Explorer
‎06-15-2010 03:28 PM

I am evaluating SPLUNK for my client. Reading previous questions tells me I can do this, but want to confirm.

have 2 dissimilar log files

file1 : field1, 2, 3, time1...
file2 : field1, a, b, time2....

If pattern1 in file 1, find pattern2 in file2 where field1 matches and time1 , time 2 are within n seconds of each other.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-15-2010 05:09 PM

I'm not sure about the pattern1 and pattern2 thing exactly--if you gave an example someone could respond with more confidence, but most likely it's possible to match these using a simple search terms, field matching or if necessary, a regular expression match.

The rest of it is certainly possible.

You would probably end up with a search that looks something like this:

(source=file1 pattern1) OR (source=2 pattern2) | transaction fields="field1" maxspan=10s

If you then want to make sure that you have both sources in your resulting transaction, you could simply add an additional "search" command after you build your transactions.

(source=file1 pattern1) OR (source=2 pattern2) | transaction fields="field1" maxspan=10s | search source=file1 source=file2

If pattern1 and pattern2, for whatever reason, must be regular expressions, then you could use a search like this: (Note: This search will not be as fast as the first approach and is generally more difficult to maintain (since not everyone is a regex-master). It's generally recommended to use normal search terms rather than using a regex match, but it can be done.)

source=file1 OR source=file2 | regex _raw="^(pattern1|pattern2)$" | transaction fields="field1" maxspan=10s

I hope this gives you an idea of the flexibility that's available. You can combine tons of commands to get splunk to do almost anything you want it to do. And if you can't find an existing search command, you can actually write your own too. -- I don't recommended starting there, but it's nice to know you have options.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-15-2010 05:09 PM

I'm not sure about the pattern1 and pattern2 thing exactly--if you gave an example someone could respond with more confidence, but most likely it's possible to match these using a simple search terms, field matching or if necessary, a regular expression match.

The rest of it is certainly possible.

You would probably end up with a search that looks something like this:

(source=file1 pattern1) OR (source=2 pattern2) | transaction fields="field1" maxspan=10s

If you then want to make sure that you have both sources in your resulting transaction, you could simply add an additional "search" command after you build your transactions.

(source=file1 pattern1) OR (source=2 pattern2) | transaction fields="field1" maxspan=10s | search source=file1 source=file2

If pattern1 and pattern2, for whatever reason, must be regular expressions, then you could use a search like this: (Note: This search will not be as fast as the first approach and is generally more difficult to maintain (since not everyone is a regex-master). It's generally recommended to use normal search terms rather than using a regex match, but it can be done.)

source=file1 OR source=file2 | regex _raw="^(pattern1|pattern2)$" | transaction fields="field1" maxspan=10s

I hope this gives you an idea of the flexibility that's available. You can combine tons of commands to get splunk to do almost anything you want it to do. And if you can't find an existing search command, you can actually write your own too. -- I don't recommended starting there, but it's nice to know you have options.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎06-16-2010 03:16 PM

If pattern 1 and 2 are simple regex than additional steps would be required. (Normally you can come up with a search expression that is simpler and more effective than a regex, but you can use a regex if you have too.)

0 Karma
Reply
Solved! Jump to solution

pjmenon
Explorer
‎06-16-2010 01:01 AM

I think you may have answered my question. Patetrn1 & 2 can be simple regexes. I think the above search matches 2 events even from the same file (say file1) if they are within 10s. How to search a pair of events each of them coming from a different file?
Thank you !

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...