https://community.splunk.com/t5/Splunk-Search/Tricky-Search-for-2-events-in-same-Index/m-p/704022#M238600 <P>Correlating on time alone while possible is always tricky. You never know what delay you're gonna get between these two events. And you might get more than just those two events at this particular timestamp. It's best if you either have both those pieces of information within one event or at least they both include some unique identifier so that you can unambiguously connect one with the other.</P> Sat, 09 Nov 2024 23:06:43 GMT PickleRick 2024-11-09T23:06:43Z https://community.splunk.com/t5/Splunk-Search/Tricky-Search-for-2-events-in-same-Index/m-p/704020#M238598 <P>So I have an Index with working alerts thanks to your guys help.</P><P>I have a question on 2 separate events at the same time.</P><P>1st Event : Invalid password provided for user : xxxxxxxx (this is in the Event)</P><P>2nd Event : &nbsp;GET /Project/1234/ HTTP/1.1 401 (this is basically letting me know about the first event but what Project they tried to connect.</P><P>&nbsp;</P><P>How would one write to Get the Username of the invalid password and chlorate that with the project at the same time underneath</P><P>Example User xxxxxx put in an invalid password for Project 1234.</P><P>Thinking it is easier to get my team to write it all in 1 event for another release.</P><P>&nbsp;</P> Sat, 09 Nov 2024 22:57:09 GMT https://community.splunk.com/t5/Splunk-Search/Tricky-Search-for-2-events-in-same-Index/m-p/704020#M238598 LizAndy123 2024-11-09T22:57:09Z https://community.splunk.com/t5/Splunk-Search/Tricky-Search-for-2-events-in-same-Index/m-p/704021#M238599 <P>I will add - it is the same index but the 1st event is from one source type and the 2nd event from another source type (just different server logs)</P><P>&nbsp;</P> Sat, 09 Nov 2024 23:00:01 GMT https://community.splunk.com/t5/Splunk-Search/Tricky-Search-for-2-events-in-same-Index/m-p/704021#M238599 LizAndy123 2024-11-09T23:00:01Z https://community.splunk.com/t5/Splunk-Search/Tricky-Search-for-2-events-in-same-Index/m-p/704022#M238600 <P>Correlating on time alone while possible is always tricky. You never know what delay you're gonna get between these two events. And you might get more than just those two events at this particular timestamp. It's best if you either have both those pieces of information within one event or at least they both include some unique identifier so that you can unambiguously connect one with the other.</P> Sat, 09 Nov 2024 23:06:43 GMT https://community.splunk.com/t5/Splunk-Search/Tricky-Search-for-2-events-in-same-Index/m-p/704022#M238600 PickleRick 2024-11-09T23:06:43Z https://community.splunk.com/t5/Splunk-Search/Tricky-Search-for-2-events-in-same-Index/m-p/704054#M238602 <P>In addition to the technical consideration&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;points out, you should make a blunt case to your developers that this is logically impossible unless</P><UL><LI>there is ever one user accessing your entire Web site with credentials, or</LI><LI>there is a strict mechanism to prevent more than one user to access your Web site during any prescribed time interval.</LI></UL><P>This, and if code authentication failure is the ONLY reason 401 is returned. (HTTP 401 is for unauthorized access, not an indicator of authentication failure.)</P><P>Present the above two logs to your developers, ask them what logic can they use (without Splunk) to tell you why the second event is related to the same user as the second event?</P><P>If your logs contain additional identifiable information such as client IP address, there is a better chance for such correlation. &nbsp;But your mock data don't suggest existence of such data.</P> Mon, 11 Nov 2024 01:50:17 GMT https://community.splunk.com/t5/Splunk-Search/Tricky-Search-for-2-events-in-same-Index/m-p/704054#M238602 yuanliu 2024-11-11T01:50:17Z