Splunk Search

Align results with time differences

Communicator

Good day Splunkers,

I'm having a problem with my search, well this is what I am trying to achieved.
I have 2 sources (AD events and DHCP events). I am retrieving AccountName and WorkstationName fields from AD while HostName and Description fields from DHCP. I am using join in my search and using the _time and IP Address as the common fields for both the searches. I did come up with results table. Great !
Here's what I have come up with my search:
index=ad sourcetype="WMI:WinEventLog:Security" CategoryString="Logon" Source
NetworkAddress=10.225.105.162 | rex "(?i)New\sLogon:\s+Security\sID:\s+.+\s+Account\sName:\s+(?P.+)" | eval Time=round(time,0) | table Time, AccountName, WorkstationName | join Time [search index=dhcpindex IPAddress=10.225.105.162 Description=Assign OR Description=Renew | eval Time=time | table Time,HostName,Description] | convert ctime(Time)

Well here comes my problem, there are events from AD that doesn't match the time from the DHCP source, like a second (or sometimes more) difference. My search won't output results since it can't match the same time on both sources.

See image:
AD source
alt text

DHCP source
alt text

I'm kinda out of search strings to use here. Is there a way I can set the seconds to match and align the results from both sources? I could use some help and guidance from our Search Gurus here.

Thanks,
crt

1 Solution

SplunkTrust
SplunkTrust

Joining with fuzzy time may be achieved by using transaction:

<filters for AD events> OR <filters for DHCP events> | <rex stuff> | transaction <common_field> maxspan=5s

Not sure if your data has common fields... but if it doesn't then joining by time is crap anyway, how to be sure no two DHCP/AD super-events happen at roughly the same time?

View solution in original post

SplunkTrust
SplunkTrust

Joining with fuzzy time may be achieved by using transaction:

<filters for AD events> OR <filters for DHCP events> | <rex stuff> | transaction <common_field> maxspan=5s

Not sure if your data has common fields... but if it doesn't then joining by time is crap anyway, how to be sure no two DHCP/AD super-events happen at roughly the same time?

View solution in original post

Communicator

Hi @martin_mueller !

Thanks for this. I did manage to stick together the events from AD and DHCP with time differences. I did the transaction command with maxspan with no common field to join.

Here's what my end result table is:
alt text

0 Karma