Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me correlate to an event in a different source type without a correlation field?

dbras
New Member
‎01-28-2019 02:50 AM

Hi,

I am trying to correlate two different source types (haproxy and apache).

I would like to find the access on haproxy for the error I have on apache.

Here are the 2 queries I want to correlate:

Query 1 on apache: 

index=* host=hostB sourcetype=apache_error "interesting error" earliest=@d-3d latest=now

Query 2 on haproxy: 

index=* host=hostA sourcetype=haproxy "interesting access"

So, I am looking to find the access on the haproxy when the interesting error happened on the apache.

I tried something like that but without success:

index=* host=hostA sourcetype=haproxy "interessting access"
| search [search index=* host=hostB sourcetype=apache_error "interesting error" | eval earliest=relative_time(_time, "@m") | eval latest=relative_time(_time, "@m")+1 | return field1 field2 field3 ]
| table  _time host _raw field1 field2 field3

I can't find any solutions to correlate those source types without any correlation field.

Could you help me on that ?

0 Karma
Reply

sduchene_splunk
Splunk Employee
Splunk Employee
‎01-28-2019 05:43 AM

Hi, looks like a good use case for localize + map command, as you want to pass the earliest and latest for each result:
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Localize
(look at the examples in the doc)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2019 04:18 AM

Hi dbras,
if field1, field2 and field3 are present in both the searches it's easy, you have to take care only to use the same field name:

index= host=hostA sourcetype=haproxy "interessting access"
[search index= host=hostB sourcetype=apache_error "interesting error" | eval earliest=relative_time(_time, "@m") | eval latest=relative_time(_time, "@m")+1 | fields field1 field2 field3 ]
| table _time host _raw field1 field2 field3

remeber that if in subsearch you have different names, you have to rename them.

If instead field1, field2 and field3 aren't in both the searches but only in the second one, you could use the results of the subsearch as free text string in the main search, something like this:

index= host=hostA sourcetype=haproxy "interessting access"
[search index= host=hostB sourcetype=apache_error "interesting error" | eval earliest=relative_time(_time, "@m") | eval latest=relative_time(_time, "@m")+1, query=field1." ".field2." ".field3 | fields query ]
| table _time host _raw

If instead field1, field2 and field3 are only in the main search, you have to identify fields in the subquery and use them in the same search of the previous.

Bye.
Giuseppe

0 Karma
Reply

dbras
New Member
‎01-28-2019 05:02 AM

Hi Giuseppe,

Thank you for your fast answer.
In fact, I don't have any common field in the 2 queries except the time approximately.
So I would like to add, on the query to find the error, the field I could find in the query to find the access around the time of the event found in the first one.

Is it possible to do that ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-28-2019 05:27 AM

identify the fields in search2 that you want to use and then use them as "query" field (in the example field1, field2 and field3).
The "query" field is a way that Splunk offer to run a free text search.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...