Splunk Dev

Event Correlation - Display events from two sourcetypes

mhpeters
New Member

I'm trying to do event correlation between two different sourcetypes using the following:

sourcetype=logweb host=s09 resultcode=503 | join _time [search sourcetype=OWAlog host=s09]

Only the events from the first sourcetype are being displayed. I need to see events from both sourcetypes.

What am I doing wrong?

Tags (1)
0 Karma

mhpeters
New Member

I've tried a bunch of combinations taking into consideration the suggestions above. I'm still unable to view the actual events around the time of the 503 error in the logweb. Some searches (with the join) only display the logweb events, others(with transaction) only display the OWAlog events.

0 Karma

adonio
Ultra Champion

can you share sample data from both sourcetypes?
are you trying to see events around a 503 error from both sourcetypes?
what is the anticipated results and format?

0 Karma

mhpeters
New Member

Yes, I'm trying to see events around a 503 from both sourcetypes. Here's what is getting close to what I want:

((sourcetype=logweb) OR (sourcetype=OWAlog)) host=s09 | bin _time span=10s | transaction _time maxspan=30s | search resultcode=503

Here's a snipped of what is being returned:

::ffff:172.16.1.94 - amy [30/May/2017:17:59:51 --700] "POST /4DACTION/WebShowRACategories/ HTTP/1.1" 503 1680 ::ffff:172.16.1.91 - - [30/May/2017:17:59:56 --700] "GET /4DACTION/WebADCeSignWidget/201705300000168/General%20Release/30824217/ HTTP/1.1" 503 1680 ::ffff:172.16.1.91 - Nightingale [30/May/2017:17:59:56 --700] "GET /4DACTION/WebAppOrderEntry/Nightingale/Nightingale HTTP/1.1" 503 1680 May 30 17:59:58 172.16.1.53 zabbix Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) May 30 17:59:58 172.16.1.53 Concorde Concorde RA zabbix /4DAction/WebShowMenu May 30 17:59:58 172.16.1.53 zabbix Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

I would like to see events around both sides of the 503.

0 Karma

adonio
Ultra Champion

check these answers:
https://answers.splunk.com/answers/2602/can-splunk-filter-match-events-and-bring-back-neighbouring-e...
https://answers.splunk.com/answers/150509/how-to-get-events-around-identified-event.html
also, there is a function in GUI that does that.
pick the event you want, expand it, look for the time field, click on the down arrow, fill the dialog box with the amount of time you want to see events before and after the picked event

0 Karma

woodcock
Esteemed Legend

Try this (assuming the events are close in time but do not have the exact same time):

((index="SomeIndexHere" sourcetype="logweb" resultcode="503") OR (index="OtherIndexHere" sourcetype="OWAlog")) host="s09"
| bin _time span=5m | stats values(*) AS * BY _time
0 Karma

mhpeters
New Member

This yielded output but I wasn't able to interpret the results.

0 Karma

cmerriman
Super Champion

Do they have the same time stamps? You might need to |bucket _time span=5s Or something if one source type has events a few seconds after the other.

Is there another field the two source types have in common?

0 Karma

adonio
Ultra Champion

looks like host is common
first search | join host [ search second search]

0 Karma

cmerriman
Super Champion

if they're filtering by host, it really won't do much.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...