Splunk Dev

Security investigation - Correlating values similar values from different sources

MLGSPLUNK
Path Finder

Hi Community.

My customer is ingesting two sources of data: one from IDP and another from a Firewall. Both are CIM compliant and already are ingested fine.

Both sources have a definition for "high" category of event. The problem is the IDP is sending the value as "high" and the FW is sending it as "High" (different capital letter).

If I want to correlate both sources in one chart, I get one line with high and another with High.

My question is:

- would you change the values at parsing (props.conf, SEGCMD) so correlation is easier for all the future incidents?

- would you change the values at searching time (props.conf) or even at SPL time (EVAL field to make all "high" look like "High").

I'm looking at future consequences of both approaches, efficient-wise and useful-wise.

Thanks in advance.

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @MLGSPLUNK,

I would change on search time in props.conf using EVAL IF. This will save further queries easier and prevents wrong results. SPL solution is more open to error, if somebody didn't now about problems on case sensitivity in stats etc.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @MLGSPLUNK,

I would change on search time in props.conf using EVAL IF. This will save further queries easier and prevents wrong results. SPL solution is more open to error, if somebody didn't now about problems on case sensitivity in stats etc.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

MLGSPLUNK
Path Finder

@scelikok it makes perfect sense. Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...