topic Transaction Search: How to search after matching IPs from different sourcetypes. in Getting Data In

Transaction Search: How to search after matching IPs from different sourcetypes.

alex1895 — Wed, 17 Feb 2016 03:42:30 GMT

I want to search for matching IPs (dest_ip) between my events from my sourcetype "Vectra-CEF" and other sourcetypes with their IP in field src. I was not able to find my answer in Splunk Answers.

This search does not work out:

index=* sourcetype="Vectra-CEF" OR (sourcetype="*") | transaction dest_ip src maxspan=5d connected=f |eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1

Re: Transaction Search: How to search after matching IPs from different sourcetypes.

esix_splunk — Wed, 17 Feb 2016 04:15:00 GMT

Maybe something more a long the lines of

index=myindex sourcetype=vectra-cef OR sourcetype=* | stats count dc(dest_ip) AS unique_dest_ip dc(src) AS unique_src by sourcetype | where unique_dest_ip > 1 OR unique_src >1

Re: Transaction Search: How to search after matching IPs from different sourcetypes.

alex1895 — Wed, 17 Feb 2016 04:35:12 GMT

Not sure how this helps. I can't see how you search command does the matching of IPs I want. I put the sourcetype_count in so that only a event is displayed if an IP from Vectra-CEF matches with a different sourcetype.

Re: Transaction Search: How to search after matching IPs from different sourcetypes.

somesoni2 — Wed, 17 Feb 2016 05:45:14 GMT

Not sure if the transaction command is really required here. You should be able to find IP's (dest_ip or src) between your sourcetypes like this

Updated#2

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | stats values(sourcetype) as sourcetypes by common_ip | where mvcount(sourcetypes)>1 AND isnotnull(mvfind(sourcetypes,"Vectra-CEF"))

If you do have a constraint which require you to use transaction, try like this (would not recommend though)

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | transaction common_ip maxspan=5d connected=f | where mvcount(sourcetype)>1  AND isnotnull(mvfind(sourcetype,"Vectra-CEF"))

Re: Transaction Search: How to search after matching IPs from different sourcetypes.

alex1895 — Wed, 17 Feb 2016 06:28:28 GMT

Thanks, looks good. The only problem I now still have that I only want dest_ip taken from a one specific sourcetype. For the src I want every sourcetype included beside the other one I have used before.

Re: Transaction Search: How to search after matching IPs from different sourcetypes.

somesoni2 — Wed, 17 Feb 2016 06:36:32 GMT

Not at all difficult to take care of that problem. Try the updated answer.

Re: Transaction Search: How to search after matching IPs from different sourcetypes.

alex1895 — Wed, 17 Feb 2016 06:51:28 GMT

It still for some reason gives events with two or more sourcetypes without the sourcetype "Vectra-CEF". Any idea why?

Re: Transaction Search: How to search after matching IPs from different sourcetypes.

somesoni2 — Wed, 17 Feb 2016 06:56:17 GMT

I missed the part "matching IP". So now I added a condition to check that sourcetype list should contain Vectra-CEF sourcetype.

Re: Transaction Search: How to search after matching IPs from different sourcetypes.

alex1895 — Wed, 17 Feb 2016 07:03:48 GMT

Excellent. Thank you very much!