<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic splunk --filtering and corelation in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/splunk-filtering-and-corelation/m-p/348975#M94879</link>
    <description>&lt;P&gt;We are having NPS auth logs from our VPN service. &lt;BR /&gt;
Requirement : In NPS logs first when auth request come in it gets logged under Packet_Type=1 and upon rejection of auth request it gest logged with  Packet_Type=3 , client IP do only come &amp;amp; get marked  under field calling_station_id with  Packet_Type=1,  username gets marked under both packet_type (1 &amp;amp; 3) , I need to filter out events having either packet_type =1 and packet_type=3 but  same username and extract field calling_station_Id, after that to further find   if same set of event happening for different username from same calling_station_id.&lt;BR /&gt;
example log:&lt;BR /&gt;
Packet_Type=1 for username ABC123&lt;BR /&gt;
2016-03-28T07:30:47.960 id=5296293 Computer_Name=XXXX Packet_Type=1 User_Name=ABC123 F_Q_User_Name="ABC123" Called_Station_Id=1.1.1.1 Calling_Station_Id=1.2.3.4 Callback_Number= &lt;BR /&gt;
Framed_IP_Address= NAS_Identifier= NAS_IP_Address=5.6.7.8 NAS_Port=74940416 Client_Vendor=9 Client_IP_Address=5.6.7.8 Client_Friendly_Name=corp Event_Timestamp= &lt;BR /&gt;
Port_Limit= NAS_Port_Type=5 Connect_Info= Framed_Protocol= &lt;/P&gt;

&lt;P&gt;Packet_type=3 for same username ABC123&lt;BR /&gt;
2016-03-28T07:30:47.967 id=5296294 Computer_Name=xxxx Packet_Type=3 User_Name= F_Q_User_Name="ABC123" Called_Station_Id= Calling_Station_Id= &lt;BR /&gt;
Callback_Number= Framed_IP_Address= NAS_Identifier= NAS_IP_Address= NAS_Port= Client_Vendor=9 Client_IP_Address=5.6.7.8 Client_Friendly_Name=corp &lt;BR /&gt;
Event_Timestamp= Port_Limit= NAS_Port_Type= Connect_Info= Framed_Protocol= Service_Type= Authentication_Type=4 NP_Policy_Name= &lt;BR /&gt;
Reason_Code=16 Class="311 1 5.4.3.1 07/24/2016 20:10:56 138735" Session_Timeout=&lt;BR /&gt;
Service_Type= Authentication_Type=4 NP_Policy_Name= Reason_Code=0 Class="311 1 5.4.3.2 07/24/2016 20:10:56 138735"&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 19:08:12 GMT</pubDate>
    <dc:creator>ritikaviavi</dc:creator>
    <dc:date>2020-09-29T19:08:12Z</dc:date>
    <item>
      <title>splunk --filtering and corelation</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/splunk-filtering-and-corelation/m-p/348975#M94879</link>
      <description>&lt;P&gt;We are having NPS auth logs from our VPN service. &lt;BR /&gt;
Requirement : In NPS logs first when auth request come in it gets logged under Packet_Type=1 and upon rejection of auth request it gest logged with  Packet_Type=3 , client IP do only come &amp;amp; get marked  under field calling_station_id with  Packet_Type=1,  username gets marked under both packet_type (1 &amp;amp; 3) , I need to filter out events having either packet_type =1 and packet_type=3 but  same username and extract field calling_station_Id, after that to further find   if same set of event happening for different username from same calling_station_id.&lt;BR /&gt;
example log:&lt;BR /&gt;
Packet_Type=1 for username ABC123&lt;BR /&gt;
2016-03-28T07:30:47.960 id=5296293 Computer_Name=XXXX Packet_Type=1 User_Name=ABC123 F_Q_User_Name="ABC123" Called_Station_Id=1.1.1.1 Calling_Station_Id=1.2.3.4 Callback_Number= &lt;BR /&gt;
Framed_IP_Address= NAS_Identifier= NAS_IP_Address=5.6.7.8 NAS_Port=74940416 Client_Vendor=9 Client_IP_Address=5.6.7.8 Client_Friendly_Name=corp Event_Timestamp= &lt;BR /&gt;
Port_Limit= NAS_Port_Type=5 Connect_Info= Framed_Protocol= &lt;/P&gt;

&lt;P&gt;Packet_type=3 for same username ABC123&lt;BR /&gt;
2016-03-28T07:30:47.967 id=5296294 Computer_Name=xxxx Packet_Type=3 User_Name= F_Q_User_Name="ABC123" Called_Station_Id= Calling_Station_Id= &lt;BR /&gt;
Callback_Number= Framed_IP_Address= NAS_Identifier= NAS_IP_Address= NAS_Port= Client_Vendor=9 Client_IP_Address=5.6.7.8 Client_Friendly_Name=corp &lt;BR /&gt;
Event_Timestamp= Port_Limit= NAS_Port_Type= Connect_Info= Framed_Protocol= Service_Type= Authentication_Type=4 NP_Policy_Name= &lt;BR /&gt;
Reason_Code=16 Class="311 1 5.4.3.1 07/24/2016 20:10:56 138735" Session_Timeout=&lt;BR /&gt;
Service_Type= Authentication_Type=4 NP_Policy_Name= Reason_Code=0 Class="311 1 5.4.3.2 07/24/2016 20:10:56 138735"&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 19:08:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/splunk-filtering-and-corelation/m-p/348975#M94879</guid>
      <dc:creator>ritikaviavi</dc:creator>
      <dc:date>2020-09-29T19:08:12Z</dc:date>
    </item>
    <item>
      <title>Re: splunk --filtering and corelation</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/splunk-filtering-and-corelation/m-p/348976#M94880</link>
      <description>&lt;P&gt;Give this a try (username is already extracted as field)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;your base search to select both Packet_type=1 and Packet_type=3 logs
| stats values(Calling_station_id) as Calling_station_id dc(Packet_type) as Packet_types by username
| where isnotnull(Calling_station_id) AND Packet_types =2
| stats values(username) as usernames by Calling_station_id
| where mvcount(usernames)&amp;gt;1
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;This will give list of Calling_station_id where both Packet_type=1 and Packet_type=3 events happened from multiple users.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 19:08:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/splunk-filtering-and-corelation/m-p/348976#M94880</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2020-09-29T19:08:17Z</dc:date>
    </item>
  </channel>
</rss>

