Name space between 2 or more variables found in 2 ...

lpolo · ‎03-28-2013

Let's say we have the following 3 logs sources:

request.log :
timestamp id=123 q=1 filter=2 query_time="timestamp"

response.log:
timestamp id=123 q="{1}" response="hello world" 

performance.log:
timestamp id=123 responsetime="1 ms"

Then, We need to join these 3 logs with the following query:

(request.log) OR (response.log) OR (performance.log)|
 stats
  first(q) as q
  first(query_time) as _time
  first(response) as response
  first(responsetime) as responsetime
  dc(sourcetype) as dc by id|search dc=3

Based on these premises, is there a way in splunk to define the name space of variables? Example:

q.response.log
q.request.log

In this way, I will have the following query construct:

(request.log) OR (response.log) OR (performance.log)|
 stats
  first(q.request.log) as q_req
  first(q.response.log) as q_res
  first(query_time) as _time
  first(response) as response
  first(responsetime) as responsetime
  dc(sourcetype) as dc by id|search dc=3

Any idea?

Thanks,
Lp

martin_mueller · ‎03-28-2013

You can do something like this:

... | eval q_response_log = case(source == "response.log", q) | eval q_request_log = case(source == "request.log", q)

martin_mueller · ‎04-08-2013

Use spath to extract the bits from the json you need into fields then.

lpolo · ‎04-08-2013

I tested your recommendation and for my case does not work. One of my source types is json and the other one is normal key=value pairs.

lpolo · ‎03-29-2013

Thanks.
I will test it out. It makes sense.

Lp

Name space between 2 or more variables found in 2 or more source logs

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...