Splunk Enterprise Security

help needed to understand correlation search in ES (sandbox)

New Member

I am quite new to ES, although i have an good understanding of data models and other Splunk commands, i am unable to understand the below correlation search in ES.
| datamodel "Authentication" "Failed_Authentication" search | stats values(Authentication.tag) as "tag",dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authentication.src" as "src" | where 'count'>=6
My queries are:
1. datamodel "Authentication" "Failed_Authentication" search - is it searching 2 DMs and what does the search at the end signify. going by the syntax it is not a subsearch that usually starts with "["
2. what does values(Authentication.tag) mean, if Authentication.tag is a field, where can i see the exact field extraction of this field

0 Karma
1 Solution

Splunk Employee
Splunk Employee

This is for the excessive failed logins correlation search, correct? This correlation search tutorial actually walks through the syntax of that search, and building it with the guided search editor. http://docs.splunk.com/Documentation/ES/4.7.4/Tutorials/GuidedCorrelationSearch

For your first question, Failed_Authentication is a dataset within the Authentication data model, so it's not searching 2 data models. The Failed_Authentication dataset is identified by the search constraint action=failure. The word search is there because of the way the datamodel command is used: http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Datamodel

For your second question, values(Authentication.tag) looks for all the values of the Authentication.tag field. See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multivaluefunctions#values.28X.2...
Authentication.tag is not an extracted field, but the tag field of the Authentication data model.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

This is for the excessive failed logins correlation search, correct? This correlation search tutorial actually walks through the syntax of that search, and building it with the guided search editor. http://docs.splunk.com/Documentation/ES/4.7.4/Tutorials/GuidedCorrelationSearch

For your first question, Failed_Authentication is a dataset within the Authentication data model, so it's not searching 2 data models. The Failed_Authentication dataset is identified by the search constraint action=failure. The word search is there because of the way the datamodel command is used: http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Datamodel

For your second question, values(Authentication.tag) looks for all the values of the Authentication.tag field. See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multivaluefunctions#values.28X.2...
Authentication.tag is not an extracted field, but the tag field of the Authentication data model.

View solution in original post

0 Karma