Can I write a search that contains the source of an event to identify the client that originated a proxy request? (With a common field)

Path Finder


I have a report that shows me network events - most of the events will have "source ip" coming from a proxy and destination being some url.
Is there a way to formulate report query so that it contains the actual source of that event based on another "nested" search that would identify the client that originated the proxy request (there would be something in common there, most likely a destination IP)


0 Karma


It can be done.... and there are several entire apps that are based on helping to correlate events like this.

The bottom line is, you need to look at the data that your network has, collects, and forwards to splunk, and identify what the events look like that you are trying to correlate. Then, with properly "anonymized" examples of your events, we can help you write the search fro your installation.

The process that I advise, in cases like these, is to start with yourself (or, if you don't have internet access, a colleague.) Go do whatever it is you want to detect (assuming it's legal) and then, using your workstation ID, your user ID, your IP address, the destination IP address, and so on, find every single record on every index in the time frame of your activity that documents what happened.

Once you have that, code a single query that pulls all those together, and copies the data onto a single summary record for reporting. (Usually the search will be first grabbing the records and the fields, then using either eventstats or streamstats to copy them around, then ending with stats.) We can help you with this part, but only after you've found examples of the squishy part you described as "there would be something in common there..."