Splunk Enterprise Security

How I can extract two diferent events in a single search

cservin81
Engager

Im new in this and I need some help with this

for example I need to correlate two events from linux.

my first search is

"svr-jrs-mat" rhost="*"

results: Oct 18 16:48:10 svr-jrs-mat-01 sshd[12160]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.11.61 user=aaa

where only I need rhost=10.0.11.61 and user=aaa for my second result

sourcetype=linux_secure "svr-jrs-mat" parametro="*"

result: Oct 18 16:48:21 svr-jrs-mat-01 sudo: aaa : TTY=pts/1 ; PWD=/home/aaa ; USER=root ; COMMAND=/bin/cat /var/log/secure

the thing is I need to correlate and know what user from what IP do sudo and the command in real time

I try with eval and rex but no result, thanks

regards

woodcock
Esteemed Legend

Try this:

index="YouShouldAlwaysSpeciryAnIndex" AND sourcetype="linux_secure" AND "svr-jrs-mat" AND parametro="*" AND [search index="YouShouldAlwaysSpeciryAnIndex" AND sourcetype="AndSourcetypeToo" AND "svr-jrs-mat" rhost="*" | table rhost user | format]

richgalloway
SplunkTrust
SplunkTrust

I'm interested in knowing what eval and rex commands you've tried. Have you tried something like this?

"svr-jrs-mat" (rhost="*" OR sourcetype=linux_secure parametro="*")
| rex "sudo: (?<sudo>\w+)
| eval user=coalesce(user, sudo)
| stats values(*) as * by user
| table _time user rhost COMMAND
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...