topic Re: Event correlation in Splunk Search

Event correlation

Shuzzillay — Thu, 08 Oct 2020 00:03:19 GMT

There's been numerous other questions that I've read through to see if a similar situation has been asked but so far (from what I've gathered) they've not matched my situation, so I figure I'd ask here.

My goal is to create an alert.

index=abc123 Operation=EventTriggered |spath input=Data |fields reid

This will give me reid (relative ID). In the same index (abc123) there's events that have a unique ID (the field name is GUID). So, using the above search's reid value, I want to take that value and search for it in GUID and return events. So, if reid=xyz, I want something along the lines of:

index=abc123 GUID=xyz NOT (Operation=EventTriggered) |rename "Parameters{}.Name" AS paramsName "Parameters{}.Value" AS paramsValue |eval params=mvzip(paramsName,paramsValue) |table myfields

The issue is that I don't know which value of GUID to search for until I run the first search, and the field values that I care about and want to table are generated from my second search.

My question, is, what is a good way to approach this? I don't think I can use a join since reid and GUID are different field names. In the result set of the first search I can't rename reid to GUID because the event with the recorded reid has its own GUID value. Although I can probably do some multivalue field manipulation to overcome that issue?

Could I use a subsearch somehow? Maybe in the subsearch, get the value of reid and pass it in that way?

Thanks.

Re: Event correlation

inventsekar — Thu, 08 Oct 2020 01:53:22 GMT

>> The issue is that I don't know which value of GUID to search for until I run the first search, and the field values that I care about and want to table are generated from my second search.

Hi @Shuzzillay .. so, after running the first search for reid, how you will know which value of GUID to search? i mean, you will manually select the GUID or any calculations like top reid will be my GUID, etc.

Re: Event correlation

ITWhisperer — Thu, 08 Oct 2020 09:42:17 GMT

I am not sure why you can't use join. Just overwrite the GUID from the first search with the reid. You don't need the GUID from the first search since you are effectively excluding it with NOT (Operation=EventTriggered).

index=abc123 Operation=EventTriggered | spath input=Data | eval GUID=reid | fields GUID | join GUID [ search index=abc123 NOT (Operation=EventTriggered) |rename "Parameters{}.Name" AS paramsName "Parameters{}.Value" AS paramsValue |eval params=mvzip(paramsName,paramsValue) ] |table myfields

Re: Event correlation

Shuzzillay — Thu, 08 Oct 2020 19:42:08 GMT

You are right, and this does work (so thanks!)

I wonder if there's a way to go about it without a join, but this seems like an ideal scenario for using a join.

Re: Event correlation

Shuzzillay — Thu, 08 Oct 2020 19:44:05 GMT

It won't be manual as my goal is to write an alert. I was thinking just using `fields` or any other calculation.

Re: Event correlation

ITWhisperer — Thu, 08 Oct 2020 20:15:31 GMT

You could try this

search index=abc123 NOT (Operation=EventTriggered) [ search index=abc123 Operation=EventTriggered | spath input=Data | eval GUID=reid | fields GUID ] |rename "Parameters{}.Name" AS paramsName "Parameters{}.Value" AS paramsValue |eval params=mvzip(paramsName,paramsValue) |table myfields