topic Re: How to correlate an event using two different indexes? in Splunk Search

How to correlate an event using two different indexes?

bcjammer03 — Tue, 08 Dec 2020 20:42:13 GMT

I'm trying to create a query that will provide me with events that use two indexes. The results are to show events where 2 consecutive emails were blocked (by a specific endpoint tool = index1) followed by a successfully sent email (logged by another endpoint tool = index2).

event/log=((block#1and block#2) and successful sent email)

I've been running into issues-this what I currently have:

index=index1 field1=SMTP action=blocked

| rex field=suid "(?<UserName>.+?)@"

| eval UserName=upper(UserName)

| rex "fileName"=(?<attachments>.+)\s*fileHash=*+"

| rex field=_raw "(?Subject>(?<=cs\=)(.*)(?=suid\=))"

| rename suid AS Sender act as ACT

| stats count by UserName

| transaction endswith=datasource="index2" maxspan=30min

Any help is appreciated, thanks.

Re: How to correlate an event using two different indexes?

rafamss — Tue, 08 Dec 2020 20:58:11 GMT

Can you explain more about what you want? What I understood is:

The first index have the initial information, like email, user ID, and so on,
The second one is the information related to event stats like blocks, success, etc.

Is that right?

Re: How to correlate an event using two different indexes?

bcjammer03 — Tue, 08 Dec 2020 21:09:35 GMT

The first index contains data from an endpoint security tool that can block outbound/external emails. The second index contains data from another endpoint tool that archives emails (I can see all successful outbound and inbound emails that are not blocked).

So essentially, I want to see if user ABC123 gets two email blocks and within 30 minutes of those two blocks (index1), sends a successful email that is not blocked (index2).