Splunk Enterprise Security

help needed to understand correlation search in ES (sandbox)

soumyasaha2506
New Member

I am quite new to ES, although i have an good understanding of data models and other Splunk commands, i am unable to understand the below correlation search in ES.
| datamodel "Authentication" "Failed_Authentication" search | stats values(Authentication.tag) as "tag",dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authentication.src" as "src" | where 'count'>=6
My queries are:
1. datamodel "Authentication" "Failed_Authentication" search - is it searching 2 DMs and what does the search at the end signify. going by the syntax it is not a subsearch that usually starts with "["
2. what does values(Authentication.tag) mean, if Authentication.tag is a field, where can i see the exact field extraction of this field

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

This is for the excessive failed logins correlation search, correct? This correlation search tutorial actually walks through the syntax of that search, and building it with the guided search editor. http://docs.splunk.com/Documentation/ES/4.7.4/Tutorials/GuidedCorrelationSearch

For your first question, Failed_Authentication is a dataset within the Authentication data model, so it's not searching 2 data models. The Failed_Authentication dataset is identified by the search constraint action=failure. The word search is there because of the way the datamodel command is used: http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Datamodel

For your second question, values(Authentication.tag) looks for all the values of the Authentication.tag field. See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multivaluefunctions#values.28X.2...
Authentication.tag is not an extracted field, but the tag field of the Authentication data model.

View solution in original post

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

This is for the excessive failed logins correlation search, correct? This correlation search tutorial actually walks through the syntax of that search, and building it with the guided search editor. http://docs.splunk.com/Documentation/ES/4.7.4/Tutorials/GuidedCorrelationSearch

For your first question, Failed_Authentication is a dataset within the Authentication data model, so it's not searching 2 data models. The Failed_Authentication dataset is identified by the search constraint action=failure. The word search is there because of the way the datamodel command is used: http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Datamodel

For your second question, values(Authentication.tag) looks for all the values of the Authentication.tag field. See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multivaluefunctions#values.28X.2...
Authentication.tag is not an extracted field, but the tag field of the Authentication data model.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!