Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How I can extract two diferent events in a single search

cservin81
Engager
‎10-18-2019 01:54 PM

Im new in this and I need some help with this

for example I need to correlate two events from linux.

my first search is

"svr-jrs-mat" rhost="*"

results: Oct 18 16:48:10 svr-jrs-mat-01 sshd[12160]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.11.61 user=aaa

where only I need rhost=10.0.11.61 and user=aaa for my second result

sourcetype=linux_secure "svr-jrs-mat" parametro="*"

result: Oct 18 16:48:21 svr-jrs-mat-01 sudo: aaa : TTY=pts/1 ; PWD=/home/aaa ; USER=root ; COMMAND=/bin/cat /var/log/secure

the thing is I need to correlate and know what user from what IP do sudo and the command in real time

I try with eval and rex but no result, thanks

regards

Reply

woodcock
Esteemed Legend
‎10-20-2019 01:29 PM

Try this:

index="YouShouldAlwaysSpeciryAnIndex" AND sourcetype="linux_secure" AND "svr-jrs-mat" AND parametro="*" AND [search index="YouShouldAlwaysSpeciryAnIndex" AND sourcetype="AndSourcetypeToo" AND "svr-jrs-mat" rhost="*" | table rhost user | format]
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-19-2019 01:17 PM

I'm interested in knowing what eval and rex commands you've tried. Have you tried something like this?

"svr-jrs-mat" (rhost="*" OR sourcetype=linux_secure parametro="*")
| rex "sudo: (?<sudo>\w+)
| eval user=coalesce(user, sudo)
| stats values(*) as * by user
| table _time user rhost COMMAND
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...