Getting Data In

Transaction Search: How to search after matching IPs from different sourcetypes.

alex1895
Path Finder

I want to search for matching IPs (dest_ip) between my events from my sourcetype "Vectra-CEF" and other sourcetypes with their IP in field src. I was not able to find my answer in Splunk Answers.

This search does not work out:

index=* sourcetype="Vectra-CEF" OR (sourcetype="*") | transaction dest_ip src maxspan=5d connected=f |eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1
0 Karma
1 Solution

somesoni2
Revered Legend

Not sure if the transaction command is really required here. You should be able to find IP's (dest_ip or src) between your sourcetypes like this

Updated#2

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | stats values(sourcetype) as sourcetypes by common_ip | where mvcount(sourcetypes)>1 AND isnotnull(mvfind(sourcetypes,"Vectra-CEF"))

If you do have a constraint which require you to use transaction, try like this (would not recommend though)

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | transaction common_ip maxspan=5d connected=f | where mvcount(sourcetype)>1  AND isnotnull(mvfind(sourcetype,"Vectra-CEF"))

View solution in original post

0 Karma

somesoni2
Revered Legend

Not sure if the transaction command is really required here. You should be able to find IP's (dest_ip or src) between your sourcetypes like this

Updated#2

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | stats values(sourcetype) as sourcetypes by common_ip | where mvcount(sourcetypes)>1 AND isnotnull(mvfind(sourcetypes,"Vectra-CEF"))

If you do have a constraint which require you to use transaction, try like this (would not recommend though)

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | transaction common_ip maxspan=5d connected=f | where mvcount(sourcetype)>1  AND isnotnull(mvfind(sourcetype,"Vectra-CEF"))
0 Karma

alex1895
Path Finder

Excellent. Thank you very much!

0 Karma

alex1895
Path Finder

It still for some reason gives events with two or more sourcetypes without the sourcetype "Vectra-CEF". Any idea why?

0 Karma

somesoni2
Revered Legend

I missed the part "matching IP". So now I added a condition to check that sourcetype list should contain Vectra-CEF sourcetype.

0 Karma

alex1895
Path Finder

Thanks, looks good. The only problem I now still have that I only want dest_ip taken from a one specific sourcetype. For the src I want every sourcetype included beside the other one I have used before.

0 Karma

somesoni2
Revered Legend

Not at all difficult to take care of that problem. Try the updated answer.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Maybe something more a long the lines of

index=myindex sourcetype=vectra-cef OR sourcetype=* | stats count dc(dest_ip) AS unique_dest_ip dc(src) AS unique_src by sourcetype | where unique_dest_ip > 1 OR unique_src >1
0 Karma

alex1895
Path Finder

Not sure how this helps. I can't see how you search command does the matching of IPs I want. I put the sourcetype_count in so that only a event is displayed if an IP from Vectra-CEF matches with a different sourcetype.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...