Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Comparing results from three separate events
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
venomousmoose
Engager
10-02-2017
02:28 PM
Forgive my ignorance if this has been answered elsewhere, I did my best to search for an answer but have not found it.
I am trying to compare three different search results for three separate events for specific time periods. Here are the strings I'm searching for:
1. user=BeerNFries OR ComputerName=xyz.local OR srcip="123.123.123.123"
2. user=Id10T OR ComputerName=123.local OR srcip="111.111.111.111"
3. user=PhishMe OR ComputerName=456.local OR srcip="222.222.222.222"
Where:
Event 1 occurred 9/17/2017 between 11:45 - 11:48
Event 2 occurred 8/19/2017 between 14:15 - 14:20
Event 3 occurred 9/12/2017 between 15:21 - 15:39
How would I be able to compare what happened during these times to look for similarities?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sduff_splunk
Splunk Employee
10-02-2017
08:44 PM
Are you wanting to get all the events for each one of those time periods in the one search? If so,
(user=BeerNFries OR ComputerName=xyz.local OR srcip="123.123.123.123" earliest="9/17/2017:11:45:00" latest="9/17/2017:11:48:00" ) OR (user=Id10T OR ComputerName=123.local OR srcip="111.111.111.111" earliest="8/19/2017:14:45:00" latest="8/19/2017:14:20:00") OR (user=PhishMe OR ComputerName=456.local OR srcip="222.222.222.222" earliest="9/12/2017:15:21:00" latest="9/12/2017:15:39:00")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
10-02-2017
08:51 PM
Okay, this is a big wide broad open clean slate of a question, especially since you have withheld a lot of the information that would allow us to be more specific..
I believe when you say "event" you don't mean the technical term, "a specific record in the Splunk database", I believe you mean "a set of things that happened that we are worried about."
So, the first thing that I would do is dump all the events from all indexes related to each of those time frames for any of those users, IPs and computernames, and put all of them into a purpose-build summary index, to save you from having to pull them repeatedly.
I would identify the types of records that are in there, and then run a scan across the entire time frame to see how common each of those types of events is. Since you are only looking at a few minutes, it shouldn't be that difficult to isolate what events are there, and then look for other clusters of the same events, not associated with whatever worries you, so you can compare and identify any differences.
If you'd like to be more specific, then we can probably help more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
venomousmoose
Engager
10-03-2017
08:07 AM
What I'm looking for is activity before and after a virus alert on three different computers on three different days. I'm trying to figure out if there any similar activities (websites visited, emails received, etc...) just before the events that could have triggered the alert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sduff_splunk
Splunk Employee
10-02-2017
08:44 PM
Are you wanting to get all the events for each one of those time periods in the one search? If so,
(user=BeerNFries OR ComputerName=xyz.local OR srcip="123.123.123.123" earliest="9/17/2017:11:45:00" latest="9/17/2017:11:48:00" ) OR (user=Id10T OR ComputerName=123.local OR srcip="111.111.111.111" earliest="8/19/2017:14:45:00" latest="8/19/2017:14:20:00") OR (user=PhishMe OR ComputerName=456.local OR srcip="222.222.222.222" earliest="9/12/2017:15:21:00" latest="9/12/2017:15:39:00")
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
