topic Comparing results from three separate events in Splunk Search

Comparing results from three separate events

venomousmoose — Mon, 02 Oct 2017 21:28:05 GMT

Forgive my ignorance if this has been answered elsewhere, I did my best to search for an answer but have not found it.

I am trying to compare three different search results for three separate events for specific time periods. Here are the strings I'm searching for:

1. user=BeerNFries OR ComputerName=xyz.local OR srcip="123.123.123.123"
2. user=Id10T OR ComputerName=123.local OR srcip="111.111.111.111"
3. user=PhishMe OR ComputerName=456.local OR srcip="222.222.222.222"

Where:
Event 1 occurred 9/17/2017 between 11:45 - 11:48
Event 2 occurred 8/19/2017 between 14:15 - 14:20
Event 3 occurred 9/12/2017 between 15:21 - 15:39

How would I be able to compare what happened during these times to look for similarities?

Re: Comparing results from three separate events

sduff_splunk — Tue, 03 Oct 2017 03:44:22 GMT

Are you wanting to get all the events for each one of those time periods in the one search? If so,

(user=BeerNFries OR ComputerName=xyz.local OR srcip="123.123.123.123" earliest="9/17/2017:11:45:00" latest="9/17/2017:11:48:00" ) OR (user=Id10T OR ComputerName=123.local OR srcip="111.111.111.111" earliest="8/19/2017:14:45:00" latest="8/19/2017:14:20:00") OR (user=PhishMe OR ComputerName=456.local OR srcip="222.222.222.222" earliest="9/12/2017:15:21:00" latest="9/12/2017:15:39:00")

Re: Comparing results from three separate events

DalJeanis — Tue, 03 Oct 2017 03:51:40 GMT

Okay, this is a big wide broad open clean slate of a question, especially since you have withheld a lot of the information that would allow us to be more specific..

I believe when you say "event" you don't mean the technical term, "a specific record in the Splunk database", I believe you mean "a set of things that happened that we are worried about."

So, the first thing that I would do is dump all the events from all indexes related to each of those time frames for any of those users, IPs and computernames, and put all of them into a purpose-build summary index, to save you from having to pull them repeatedly.

I would identify the types of records that are in there, and then run a scan across the entire time frame to see how common each of those types of events is. Since you are only looking at a few minutes, it shouldn't be that difficult to isolate what events are there, and then look for other clusters of the same events, not associated with whatever worries you, so you can compare and identify any differences.

If you'd like to be more specific, then we can probably help more.

Re: Comparing results from three separate events

venomousmoose — Tue, 03 Oct 2017 15:07:03 GMT

What I'm looking for is activity before and after a virus alert on three different computers on three different days. I'm trying to figure out if there any similar activities (websites visited, emails received, etc...) just before the events that could have triggered the alert.