Getting Data In

Can you help me correlate to an event in a different source type without a correlation field?

dbras
New Member

Hi,

I am trying to correlate two different source types (haproxy and apache).

I would like to find the access on haproxy for the error I have on apache.

Here are the 2 queries I want to correlate:

Query 1 on apache:

index=* host=hostB sourcetype=apache_error "interesting error" earliest=@d-3d latest=now

Query 2 on haproxy:

index=* host=hostA sourcetype=haproxy "interesting access"

So, I am looking to find the access on the haproxy when the interesting error happened on the apache.

I tried something like that but without success:

index=* host=hostA sourcetype=haproxy "interessting access"
| search [search index=* host=hostB sourcetype=apache_error "interesting error" | eval earliest=relative_time(_time, "@m") | eval latest=relative_time(_time, "@m")+1 | return field1 field2 field3 ]
| table  _time host _raw field1 field2 field3

I can't find any solutions to correlate those source types without any correlation field.

Could you help me on that ?

0 Karma

sduchene_splunk
Splunk Employee
Splunk Employee

Hi, looks like a good use case for localize + map command, as you want to pass the earliest and latest for each result:
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Localize
(look at the examples in the doc)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi dbras,
if field1, field2 and field3 are present in both the searches it's easy, you have to take care only to use the same field name:

index= host=hostA sourcetype=haproxy "interessting access"
[search index= host=hostB sourcetype=apache_error "interesting error" | eval earliest=relative_time(_time, "@m") | eval latest=relative_time(_time, "@m")+1 | fields field1 field2 field3 ]
| table _time host _raw field1 field2 field3

remeber that if in subsearch you have different names, you have to rename them.

If instead field1, field2 and field3 aren't in both the searches but only in the second one, you could use the results of the subsearch as free text string in the main search, something like this:

index= host=hostA sourcetype=haproxy "interessting access"
[search index= host=hostB sourcetype=apache_error "interesting error" | eval earliest=relative_time(_time, "@m") | eval latest=relative_time(_time, "@m")+1, query=field1." ".field2." ".field3 | fields query ]
| table _time host _raw 

If instead field1, field2 and field3 are only in the main search, you have to identify fields in the subquery and use them in the same search of the previous.

Bye.
Giuseppe

0 Karma

dbras
New Member

Hi Giuseppe,

Thank you for your fast answer.
In fact, I don't have any common field in the 2 queries except the time approximately.
So I would like to add, on the query to find the error, the field I could find in the query to find the access around the time of the event found in the first one.

Is it possible to do that ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

identify the fields in search2 that you want to use and then use them as "query" field (in the example field1, field2 and field3).
The "query" field is a way that Splunk offer to run a free text search.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...