Getting Data In

Transaction Search: How to search after matching IPs from different sourcetypes.

alex1895
Path Finder

I want to search for matching IPs (dest_ip) between my events from my sourcetype "Vectra-CEF" and other sourcetypes with their IP in field src. I was not able to find my answer in Splunk Answers.

This search does not work out:

index=* sourcetype="Vectra-CEF" OR (sourcetype="*") | transaction dest_ip src maxspan=5d connected=f |eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1
0 Karma
1 Solution

somesoni2
Revered Legend

Not sure if the transaction command is really required here. You should be able to find IP's (dest_ip or src) between your sourcetypes like this

Updated#2

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | stats values(sourcetype) as sourcetypes by common_ip | where mvcount(sourcetypes)>1 AND isnotnull(mvfind(sourcetypes,"Vectra-CEF"))

If you do have a constraint which require you to use transaction, try like this (would not recommend though)

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | transaction common_ip maxspan=5d connected=f | where mvcount(sourcetype)>1  AND isnotnull(mvfind(sourcetype,"Vectra-CEF"))

View solution in original post

0 Karma

somesoni2
Revered Legend

Not sure if the transaction command is really required here. You should be able to find IP's (dest_ip or src) between your sourcetypes like this

Updated#2

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | stats values(sourcetype) as sourcetypes by common_ip | where mvcount(sourcetypes)>1 AND isnotnull(mvfind(sourcetypes,"Vectra-CEF"))

If you do have a constraint which require you to use transaction, try like this (would not recommend though)

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | transaction common_ip maxspan=5d connected=f | where mvcount(sourcetype)>1  AND isnotnull(mvfind(sourcetype,"Vectra-CEF"))
0 Karma

alex1895
Path Finder

Excellent. Thank you very much!

0 Karma

alex1895
Path Finder

It still for some reason gives events with two or more sourcetypes without the sourcetype "Vectra-CEF". Any idea why?

0 Karma

somesoni2
Revered Legend

I missed the part "matching IP". So now I added a condition to check that sourcetype list should contain Vectra-CEF sourcetype.

0 Karma

alex1895
Path Finder

Thanks, looks good. The only problem I now still have that I only want dest_ip taken from a one specific sourcetype. For the src I want every sourcetype included beside the other one I have used before.

0 Karma

somesoni2
Revered Legend

Not at all difficult to take care of that problem. Try the updated answer.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Maybe something more a long the lines of

index=myindex sourcetype=vectra-cef OR sourcetype=* | stats count dc(dest_ip) AS unique_dest_ip dc(src) AS unique_src by sourcetype | where unique_dest_ip > 1 OR unique_src >1
0 Karma

alex1895
Path Finder

Not sure how this helps. I can't see how you search command does the matching of IPs I want. I put the sourcetype_count in so that only a event is displayed if an IP from Vectra-CEF matches with a different sourcetype.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...