Getting Data In

Transaction Search: How to search after matching IPs from different sourcetypes.

alex1895
Path Finder

I want to search for matching IPs (dest_ip) between my events from my sourcetype "Vectra-CEF" and other sourcetypes with their IP in field src. I was not able to find my answer in Splunk Answers.

This search does not work out:

index=* sourcetype="Vectra-CEF" OR (sourcetype="*") | transaction dest_ip src maxspan=5d connected=f |eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1
0 Karma
1 Solution

somesoni2
Revered Legend

Not sure if the transaction command is really required here. You should be able to find IP's (dest_ip or src) between your sourcetypes like this

Updated#2

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | stats values(sourcetype) as sourcetypes by common_ip | where mvcount(sourcetypes)>1 AND isnotnull(mvfind(sourcetypes,"Vectra-CEF"))

If you do have a constraint which require you to use transaction, try like this (would not recommend though)

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | transaction common_ip maxspan=5d connected=f | where mvcount(sourcetype)>1  AND isnotnull(mvfind(sourcetype,"Vectra-CEF"))

View solution in original post

0 Karma

somesoni2
Revered Legend

Not sure if the transaction command is really required here. You should be able to find IP's (dest_ip or src) between your sourcetypes like this

Updated#2

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | stats values(sourcetype) as sourcetypes by common_ip | where mvcount(sourcetypes)>1 AND isnotnull(mvfind(sourcetypes,"Vectra-CEF"))

If you do have a constraint which require you to use transaction, try like this (would not recommend though)

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | transaction common_ip maxspan=5d connected=f | where mvcount(sourcetype)>1  AND isnotnull(mvfind(sourcetype,"Vectra-CEF"))
0 Karma

alex1895
Path Finder

Excellent. Thank you very much!

0 Karma

alex1895
Path Finder

It still for some reason gives events with two or more sourcetypes without the sourcetype "Vectra-CEF". Any idea why?

0 Karma

somesoni2
Revered Legend

I missed the part "matching IP". So now I added a condition to check that sourcetype list should contain Vectra-CEF sourcetype.

0 Karma

alex1895
Path Finder

Thanks, looks good. The only problem I now still have that I only want dest_ip taken from a one specific sourcetype. For the src I want every sourcetype included beside the other one I have used before.

0 Karma

somesoni2
Revered Legend

Not at all difficult to take care of that problem. Try the updated answer.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Maybe something more a long the lines of

index=myindex sourcetype=vectra-cef OR sourcetype=* | stats count dc(dest_ip) AS unique_dest_ip dc(src) AS unique_src by sourcetype | where unique_dest_ip > 1 OR unique_src >1
0 Karma

alex1895
Path Finder

Not sure how this helps. I can't see how you search command does the matching of IPs I want. I put the sourcetype_count in so that only a event is displayed if an IP from Vectra-CEF matches with a different sourcetype.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...