Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Correlate between source-types (IDS + OSINT sources)

aswanda
Engager
‎03-09-2013 04:08 PM

I am trying to correlate the field src_IP between all my IDS alerts (sourcetype=estreamer) and OSINT data I am pulling from a custom script. The OSINT script scrapes websites for known bad attacker IP addresses and I would like to know if any of the src_IP's from my IDS alerts match any of the src_IP's from the OSINT data.

I was looking at subsearches, which seems to be the best way to correlate across different data sets, but I am not having much luck with the syntax.

What I tried was something like this:
sourcetype=estreamer | sourcetype=osint | top limit 100 src_IP | table src_IP

Which I thought should compare the two src_IP fields from each sourcetype and only show the matching results.
Am I headed in the right direction? Any help would be great!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-09-2013 05:35 PM

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-09-2013 05:35 PM

No. The syntax for subsearch is more like:

sourcetype=estreamer [ sourcetype=osint | dedup src_ip | return src_ip ] | top limit 100 src_ip

or you can reverse the two sourcetypes, and generally it's better to have the one with fewer events/values for src_ip in the subsearch.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-14-2013 08:45 AM

no, in that case you can rename the field, e.g., 

... [ sourcetype=osint | dedup dst_ip | return src_ip=dst_ip ] ...

or as you said, alias them permanently. But you have to make the inner field match what's in the outer search.

0 Karma
Reply
Solved! Jump to solution

aswanda
Engager
‎03-13-2013 09:42 PM

Is there a way to correlate the same query but say src_ip from one source and dst_ip from the other?
I think your answer will work if I create field aliases, but for other types of correlations that don't have a common field - is it still possible?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...