Refine your search:

Subsearch within a bucket

0

I am looking to correlate events from two different sources whereby a rare event in source A, (in a 1 hour window) searches for events in source B (in the same 1 hour window)

These are mobile phone records, and source A lists the Phone Numbers I want to seach for in the CDR logs (source B).

This is what I have so far:

eventtype=phone_logs flagged=true |bucket  _time span=1h|stats dc(phone_log_cli) by _time phone_log_cli |join max=0 phone_log_cli[search sourcetype=cdr SCRIPT_RES="d*" BDA="*" BDUR>5]|dedup ID|eval AOA2=substr(AOA,1, 4)+"xxxxxx"| eval BDA2=substr(BDA,1,6)+"xxxxxxxx"| eval CallTime=ACONDATE|rename SCRIPT_RES as "CallType" |table _time CallTime AOA2 BDA2 BDUR BREASON customer country Network CallType

This returns bucket windows for source A, but as the search runs it populates the first bucket where a cli appears with ALL the CDR records of the same device.

That is to say (over a 4 hour search window 08:00-12:00), if a phone made 1 call an hour in each of the 4 hours, then all 4 calls show up in the 08:00 result set.

I want to run this query over 30 days, and at the moment, every call gets returned in the first window in which its CLI was flagged in source A.

How can I restrict the 'join search' to only search within the same time window as the bucket from first search? I have looked at localize - map, but this seems problematic also.

asked 20 Mar '12, 01:11

nickhillscpl's gravatar image

nickhillscpl
13816
accept rate: 50%

edited 20 Mar '12, 02:08

2 Answers:
oldestnewestmost voted
0

Not trying to go into your question in depth, so I concentrating on your first paragraph.

Could you pick out date_hour and date_mday for your rare events and use it to limit the search among the more common events.

UPDATE:

I was thinking along the lines of a subsearch, but as I said I haven't really looked at your question, so I'm not sure it would apply. My line of thinking, based on your first paragraph was;

source=B [search source=A phoneno=XXX blaha=YYY| dedup phoneno date_mday date_hour| fields + date_time date_mday phoneno]| the_rest_of_your_search_here

The inner search would look at your rare events and return unique combinations of phoneno date_mday and date_hour, which would be used as part of the outer search in source B.

Hope this helps at least a little bit.

/K

link

answered 20 Mar '12, 03:15

kristian.kolb's gravatar image

kristian.kolb
9.8k615
accept rate: 33%

edited 20 Mar '12, 04:51

OK, so this makes sense, but how do i pass date_hour and date_mday into the join search? Do i have to build this into a full time format?

(20 Mar '12, 03:32) nickhillscpl
0

Ok, so... The Subsearch works as per your example, but i want to pull some fields out of source A which are used in a table.

using your example:

source=B [search source=A phoneno=XXX blaha=YYY| dedup phoneno date_mday date_hour| fields + date_time date_mday phone no username]| table srcA_phoneno srcA_username srcB_AOA srcB_BDA

obviously, adding 'username' to the fieldset for the subsearch results in the main search looking for matches on the username also (which will not exist in source B)

how can i get additional fields from the sub search to be available for post processing along with results from the main search?

link

answered 20 Mar '12, 07:46

nickhillscpl's gravatar image

nickhillscpl
13816
accept rate: 50%

As far as I know it the subsearch approach I outlined earlier would not do the job required. The results from the subsearch would be added as part of the main search - and if 'username' is not present there, the search would essentially fail - so subsearch is not the way to go.

/k

(20 Mar '12, 19:14) kristian.kolb
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×111
×88

Asked: 20 Mar '12, 01:11

Seen: 759 times

Last updated: 20 Mar '12, 19:14

Related questions

Given a bucket name of db_1274129994_1273525194_0 what is the span of the events within this bucket?

Appending Sparkline through a JOIN

Bucket Listing

How do I bucket/cluster my results into a specific (say 4) buckets displayed as columns?

Join and a Transaction with _time within minute?

variable bucket sizes?

Bucket/Group results

Is there a way to delete old data from wide bucket spans

Rebuild 4.1 Bucket in 4.2

Copyright © 2005-2012 Splunk Inc. All rights reserved.