Solved: Transaction Search: How to search after matching I...

alex1895 · ‎02-16-2016

I want to search for matching IPs (dest_ip) between my events from my sourcetype "Vectra-CEF" and other sourcetypes with their IP in field src. I was not able to find my answer in Splunk Answers.

This search does not work out:

index=* sourcetype="Vectra-CEF" OR (sourcetype="*") | transaction dest_ip src maxspan=5d connected=f |eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1

somesoni2 · ‎02-16-2016

Not sure if the transaction command is really required here. You should be able to find IP's (dest_ip or src) between your sourcetypes like this

Updated#2

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | stats values(sourcetype) as sourcetypes by common_ip | where mvcount(sourcetypes)>1 AND isnotnull(mvfind(sourcetypes,"Vectra-CEF"))

If you do have a constraint which require you to use transaction, try like this (would not recommend though)

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | transaction common_ip maxspan=5d connected=f | where mvcount(sourcetype)>1  AND isnotnull(mvfind(sourcetype,"Vectra-CEF"))

View solution in original post

somesoni2 · ‎02-16-2016

Not sure if the transaction command is really required here. You should be able to find IP's (dest_ip or src) between your sourcetypes like this

Updated#2

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | stats values(sourcetype) as sourcetypes by common_ip | where mvcount(sourcetypes)>1 AND isnotnull(mvfind(sourcetypes,"Vectra-CEF"))

If you do have a constraint which require you to use transaction, try like this (would not recommend though)

index=myindex sourcetype=* | eval common_ip=if(sourcetype="Vectra-CEF",dest_ip,src) | transaction common_ip maxspan=5d connected=f | where mvcount(sourcetype)>1  AND isnotnull(mvfind(sourcetype,"Vectra-CEF"))

alex1895 · ‎02-16-2016

Excellent. Thank you very much!

alex1895 · ‎02-16-2016

It still for some reason gives events with two or more sourcetypes without the sourcetype "Vectra-CEF". Any idea why?

somesoni2 · ‎02-16-2016

I missed the part "matching IP". So now I added a condition to check that sourcetype list should contain Vectra-CEF sourcetype.

alex1895 · ‎02-16-2016

Thanks, looks good. The only problem I now still have that I only want dest_ip taken from a one specific sourcetype. For the src I want every sourcetype included beside the other one I have used before.

somesoni2 · ‎02-16-2016

Not at all difficult to take care of that problem. Try the updated answer.

esix_splunk · ‎02-16-2016

Maybe something more a long the lines of

index=myindex sourcetype=vectra-cef OR sourcetype=* | stats count dc(dest_ip) AS unique_dest_ip dc(src) AS unique_src by sourcetype | where unique_dest_ip > 1 OR unique_src >1

alex1895 · ‎02-16-2016

Not sure how this helps. I can't see how you search command does the matching of IPs I want. I put the sourcetype_count in so that only a event is displayed if an IP from Vectra-CEF matches with a different sourcetype.

Transaction Search: How to search after matching IPs from different sourcetypes.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation