All Apps and Add-ons

Cisco Ironport ESA transaction or subsearch

imarks004
Path Finder

I am trying to figure out how to pull the data around the following event that matches on the second MID.

Tue May 31 14:16:21 2011 Info: MID 47539682 was generated based on MID 47539681 by notify-copy filter 'notify_subject_line'

The events associated with the second MID contains all of the relevant data that triggered this event. I am using the Cisco_esa_addon to handle the extractions so MID is getting extracted twice for this event. I created a another extraction to just extract the second MID as trigger_mid. Is it possible to use a transaction to match trigger_mid to mid or is this going to require a subsearch?

sourcetype=cisco_esa notify_subject_line | rex "based on MID (?<trigger_mid>\S+)"| transaction ???

Thank you

Tags (1)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi imarks004,

a long time ago you asked this and here is an answer to this question:
You can use stats for it:

sourcetype=cisco_esa notify_subject_line 
| rex "based on MID (?<trigger_mid>\S+)" 
| stats list(_raw) AS _raw by trigger_mid mid

You can learn more about the different use cases of stats here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or here http://sideviewapps.com/slides/2016_03_31_nick_mealy_grouping_talk.pptx

Hope this helps ...

cheers, MuS

0 Karma

malvidin
Communicator

You have to use a subsearch. This is untested, but something similar can be used. Using append might be better, depending on the desired results.

sourcetype=esa_sourcetype [ 
    search internal_message_id = "trigger_mid"
  | rex "MID (?P<interesting_message_id>[0-9]+) was generated" 
  | return interesting_message_id AS internal_message_id 
]  

 

0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...