Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

correlate two sources when event from source A happens in between 2 events on source B VPN session

bcusick
Communicator
‎03-05-2014 01:29 PM

Hi,

I am trying to see when an event happens on source=A in between 2 events on source=VPN.
My VPN source provides two different events for "login" and "logout".

I want to link the two sources by usernames, but source=A has them listed differently as "app_user". I currently use a lookup table to return the type of username I want "ad_id". My VPN source has the user listed as 'citrix_user'.

source=A has fields called 'app_user' and a few other non-important sources.

source=VPN has fields called _time, citrix_user, and action. Action is either 'LOGIN' or 'LOGOUT'.

This is what I have but it is not mapping the citrix_user correctly. The status should return "ok" if there is a match.

source="A" | lookup lookuptable.csv app_user | join ad_id [search source=VPN | fields + citrix_user, _time, action] | eval status = if((ad_id=citrix_user), "alert", "ok") | table _time, trader_login, ad_id, citrix_user, action, status
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎03-05-2014 03:10 PM

I recommend that you have a look at how the Splunk CIM can be used to normalize your field names. The coalesce function for the eval command used below will make sure that you have a "user" field in both your sources.

You might be able to correlate your events using the transaction command:

source="A" OR source=VPN | lookup lookuptable.csv app_user | eval user=coalesce(ad_id,citrix_user) | transaction user | where eventcount > 2 |where mvcount(source)>1 | table _time, trader_login, ad_id, citrix_user, action

The transaction command will group the events that belong to one event. It has options to define the limits of the events that belong together such as maxspan or startswith. You could use the startswith parameter with a string that identifies your vpn login. By searching for transactions with an eventcount > 2 and that consist of events from mor than one source you should get results with a login event, a "source A" event and a logout event (this might need fine tuning though).

Just another thing I've noticed, is that you search for sources in your search. Usually it is best to use sourcetypes. But you might have a reason for doing it this way.

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎03-05-2014 03:10 PM

I recommend that you have a look at how the Splunk CIM can be used to normalize your field names. The coalesce function for the eval command used below will make sure that you have a "user" field in both your sources.

You might be able to correlate your events using the transaction command:

source="A" OR source=VPN | lookup lookuptable.csv app_user | eval user=coalesce(ad_id,citrix_user) | transaction user | where eventcount > 2 |where mvcount(source)>1 | table _time, trader_login, ad_id, citrix_user, action

The transaction command will group the events that belong to one event. It has options to define the limits of the events that belong together such as maxspan or startswith. You could use the startswith parameter with a string that identifies your vpn login. By searching for transactions with an eventcount > 2 and that consist of events from mor than one source you should get results with a login event, a "source A" event and a logout event (this might need fine tuning though).

Just another thing I've noticed, is that you search for sources in your search. Usually it is best to use sourcetypes. But you might have a reason for doing it this way.

Reply
Solved! Jump to solution

bcusick
Communicator
‎03-17-2014 11:41 AM

I meant to answer this earlier..but this worked like a charm. Thank you! And yes, my search was specific to certain sources.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top