Splunk Search

2 searches, focus on 1 unique field of the two searches to do a calculation of time

Xe03kfp
Path Finder

I have a log of a few hundreds SNORT alerts:
-All alerts have "the same" fields but in order to find my needle in the haystack, I have to
search for two fields; in the results of the search is my "unique" value.

Example:

<1 Search:
2222222 dest_port="*" --I want the STAR Value and its _time --AND possibly call the _raw results "Disconnect"

<2 Search:
1111111 src_port="*" --I want the STAR value and its _time --AND possbily call the _raw result "Connect"

Then using the searches of "Disconnect" focus on "dest_port" and "Connect" focus on "src_port"
-Subtract the _time(s) of dest_port and src_port which will equal the "Total Time"
-To give me the time difference based on dest_port and src_port

If I search:

2222222 dest_port="" OR 1111111 src_port="" --It will give me ONLY 2222222 and highlight src_Port AND dest_port of 2222222

I dont want that! 🙂 I want it to only highlight 2222222 dest_port and 1111111 src_port --I dont want the two searchest to cross over the "OR" I guess is what I'm trying to say... --How do I make two unique searches and be able to subtract the _time of, said above, to give me my goal?

Linked is the search of 2222222 dest_port="" OR 1111111 src_port="" --To show you what I mean. Disregard the double fields..not sure why they are doubled at the moment.

Click Here

Tags (2)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

I'm far from sure that I understand your question, but it seems like you're not using parentheses when you should be. What you had was

2222222 dest_port="*" OR 1111111 src_port="*"

but this will mean 2222222 AND (dest_port="" OR 1111111) AND src_port=""

I think what you want is:

( 2222222 dest_port="*") OR (1111111 src_port="*") 

But I don't understand how exactly you want to stitch together the Connect and Disconnect events. Is the src_port value of one side equal to the dest_port value of the other side?

If so then you would use the eval command to make yourself a field that did have the same name from one side to the other, to make _time values as appropriate, and then stats to roll it all together.

I'm making a ton of assumptions, but this might not be totally off base:

( 2222222 dest_port="*") OR (1111111 src_port="*")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval myPortField=if(isnotnull(disconnect_time),dest_port,myPortField)
| eval myPortField=if(isnotnull(connect_time),src_port,myPortField)
| stats min(connect_time) as connect max(disconnect_time) as disconnect by myPortField

View solution in original post

sideview
SplunkTrust
SplunkTrust

I'm far from sure that I understand your question, but it seems like you're not using parentheses when you should be. What you had was

2222222 dest_port="*" OR 1111111 src_port="*"

but this will mean 2222222 AND (dest_port="" OR 1111111) AND src_port=""

I think what you want is:

( 2222222 dest_port="*") OR (1111111 src_port="*") 

But I don't understand how exactly you want to stitch together the Connect and Disconnect events. Is the src_port value of one side equal to the dest_port value of the other side?

If so then you would use the eval command to make yourself a field that did have the same name from one side to the other, to make _time values as appropriate, and then stats to roll it all together.

I'm making a ton of assumptions, but this might not be totally off base:

( 2222222 dest_port="*") OR (1111111 src_port="*")
| eval disconnect_time=if(match(_raw,"2222222"),_time,null())
| eval connect_time=if(match(_raw,"1111111"),_time,null())
| eval myPortField=if(isnotnull(disconnect_time),dest_port,myPortField)
| eval myPortField=if(isnotnull(connect_time),src_port,myPortField)
| stats min(connect_time) as connect max(disconnect_time) as disconnect by myPortField

Xe03kfp
Path Finder

I posted an additional question if you have a few minutes?

-=HERE=-

0 Karma

Xe03kfp
Path Finder

Here is the search you wanted me to do:

" I think what you want is:

( 2222222 dest_port="") OR (1111111 src_port="")

"

HERE is the result of that search which gives me both src and dest port

If you notice both src_port and dest_port are highlighted. I tried every way I could to somehow combine the searches to be totally 2 seperate searches of the two fields but was unsuccessful.

0 Karma

Xe03kfp
Path Finder

Mind you I do have a false positive from snort that does not have the same ephemeral port and may have blank times --or is there a way to say "if none are the same then NOTshow ?

0 Karma

Xe03kfp
Path Finder
  • Is why I had to search for two fields but only interested in the src and dest port fields. I needed to create a search that will arrive at giving me the 2222222 and 1111111 ephemeral port and calculate the time _time of 2222222 - _time 1111111 = Total time

I'd like to have:
Summary--
SRC IP Total Time
SRC IP Total Time
-Of all unique SRC IP's
&
Total Time from ALL as a total calculation ( which will be based on the search time frame I select)

0 Karma

Xe03kfp
Path Finder

Sooo Close!!! WOW!!!! I would have never even got close!

Click Here to see

Your question:
"But I don't understand how exactly you want to stitch together the Connect and Disconnect events. Is the src_port value of one side equal to the dest_port value of the other side? "
- YES The Src_port value of one side is equal to dest_port value --Ephemeral Port

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...