Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can someone suggest few ways of correlation of two or more fields

asm_coe
Explorer
‎05-28-2019 03:10 AM

I have a ticket dump with following fields.
Transaction ID
Transaction Type
Description
Priority
urgency
Created On

Created By
Actual Closed
Resolution code
SR Type
App ID

My need to correlate among 2 fields. Please do provide few correlation search commands(SPL) with above fields. Also need to convert the search into dashboards.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎05-28-2019 03:27 AM

Hi @asm_coe,

Correlation takes place usually between multiple sources with similar fields. I think you're looking for building transactions. For that you can use the transaction command.

Your SPL would look like this :

index= yourIndex sourcetype=yourSourcetype | transaction Transaction_ID App_ID

This will combine all fields with similar transaction ID and APP ID together.

Official documentation here for the latest version:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

Let me know if that helps.

Cheers,
David

View solution in original post

Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎05-28-2019 03:27 AM

Hi @asm_coe,

Correlation takes place usually between multiple sources with similar fields. I think you're looking for building transactions. For that you can use the transaction command.

Your SPL would look like this :

index= yourIndex sourcetype=yourSourcetype | transaction Transaction_ID App_ID

This will combine all fields with similar transaction ID and APP ID together.

Official documentation here for the latest version:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

Let me know if that helps.

Cheers,
David

Reply
Solved! Jump to solution

asm_coe
Explorer
‎05-28-2019 03:59 AM

Thanks David for the quick help, Also please how can I convert this search into a dashboard. like chart or pie chart.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎05-28-2019 04:01 AM

Ah, that's the easy part ^^ After running the search right next to the search button there is a "save as" button. Click that, select dashboard panel and then select either to make a new dashboard or an existing one.
If you need some documentation about that let me know !

Reply
Solved! Jump to solution

asm_coe
Explorer
‎05-28-2019 04:11 AM

Thanks David for your help. Really appreciated.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎05-28-2019 04:16 AM

Most welcome ! Please upvote and accept the answer if it was helpful 🙂

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎05-28-2019 03:24 AM

You can do co-relation in multiple ways

  1. If each event contains all the fields => index=yourIndex sourcetype=yourSourceType Priority>2 Transaction_ID="12345"
  2. If you want to club multiple events, then do transaction command

Please do read about converting searches to Dashboard
1. Build basic dashboard => http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEN4
2. https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Createnewdashboard

Reply
Solved! Jump to solution

asm_coe
Explorer
‎05-28-2019 04:00 AM

Thanks Koshyk, Can you please suggest few correlation commands.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...