I'm trying to do event correlation between two different sourcetypes using the following:
sourcetype=logweb host=s09 resultcode=503 | join _time [search sourcetype=OWAlog host=s09]
Only the events from the first sourcetype are being displayed. I need to see events from both sourcetypes.
What am I doing wrong?
I've tried a bunch of combinations taking into consideration the suggestions above. I'm still unable to view the actual events around the time of the 503 error in the logweb. Some searches (with the join) only display the logweb events, others(with transaction) only display the OWAlog events.
can you share sample data from both sourcetypes?
are you trying to see events around a 503 error from both sourcetypes?
what is the anticipated results and format?
Yes, I'm trying to see events around a 503 from both sourcetypes. Here's what is getting close to what I want:
((sourcetype=logweb) OR (sourcetype=OWAlog)) host=s09 | bin _time span=10s | transaction _time maxspan=30s | search resultcode=503
Here's a snipped of what is being returned:
::ffff:172.16.1.94 - amy [30/May/2017:17:59:51 --700] "POST /4DACTION/WebShowRACategories/ HTTP/1.1" 503 1680 ::ffff:172.16.1.91 - - [30/May/2017:17:59:56 --700] "GET /4DACTION/WebADCeSignWidget/201705300000168/General%20Release/30824217/ HTTP/1.1" 503 1680 ::ffff:172.16.1.91 - Nightingale [30/May/2017:17:59:56 --700] "GET /4DACTION/WebAppOrderEntry/Nightingale/Nightingale HTTP/1.1" 503 1680 May 30 17:59:58 172.16.1.53 zabbix Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) May 30 17:59:58 172.16.1.53 Concorde Concorde RA zabbix /4DAction/WebShowMenu May 30 17:59:58 172.16.1.53 zabbix Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
I would like to see events around both sides of the 503.
check these answers:
https://answers.splunk.com/answers/2602/can-splunk-filter-match-events-and-bring-back-neighbouring-e...
https://answers.splunk.com/answers/150509/how-to-get-events-around-identified-event.html
also, there is a function in GUI that does that.
pick the event you want, expand it, look for the time field, click on the down arrow, fill the dialog box with the amount of time you want to see events before and after the picked event
Try this (assuming the events are close in time but do not have the exact same time):
((index="SomeIndexHere" sourcetype="logweb" resultcode="503") OR (index="OtherIndexHere" sourcetype="OWAlog")) host="s09"
| bin _time span=5m | stats values(*) AS * BY _time
This yielded output but I wasn't able to interpret the results.
Do they have the same time stamps? You might need to |bucket _time span=5s
Or something if one source type has events a few seconds after the other.
Is there another field the two source types have in common?
looks like host is common
first search | join host [ search second search]
if they're filtering by host, it really won't do much.