Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I write a search that contains the source of an event to identify the client that originated a proxy request? (With a common field)

ptur
Path Finder
‎10-06-2017 07:52 AM

Hello,

I have a report that shows me network events - most of the events will have "source ip" coming from a proxy and destination being some url.
Is there a way to formulate report query so that it contains the actual source of that event based on another "nested" search that would identify the client that originated the proxy request (there would be something in common there, most likely a destination IP)

Thanks!

0 Karma
Reply

DalJeanis
Legend
‎10-06-2017 09:07 AM

It can be done.... and there are several entire apps that are based on helping to correlate events like this.

The bottom line is, you need to look at the data that your network has, collects, and forwards to splunk, and identify what the events look like that you are trying to correlate. Then, with properly "anonymized" examples of your events, we can help you write the search fro your installation.

The process that I advise, in cases like these, is to start with yourself (or, if you don't have internet access, a colleague.) Go do whatever it is you want to detect (assuming it's legal) and then, using your workstation ID, your user ID, your IP address, the destination IP address, and so on, find every single record on every index in the time frame of your activity that documents what happened.

Once you have that, code a single query that pulls all those together, and copies the data onto a single summary record for reporting. (Usually the search will be first grabbing the records and the fields, then using either eventstats or streamstats to copy them around, then ending with stats.) We can help you with this part, but only after you've found examples of the squishy part you described as "there would be something in common there..."

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...