Hi guys,
more like a generic question: how do you make sense of events which are not necessarily linked by a common field? For example, one of our applications produces logs that generate many events/lines such as:
[08/Sep/2017:09:20:20 +0200] Logon request from 10.10.10.3
[08/Sep/2017:09:20:21 +0200] Object 662737354 deleted
[08/Sep/2017:09:20:21 +0200] User X77262 trying to connect ...
[08/Sep/2017:09:20:22 +0200] Logon Denied: Bad password
So lines 1, 3 and 4 represent a logon request but I cannot "transact" them as there is no common field. Or can I?
In a perfect world session IDs would be introduced in the logs OR more complete log entries, but changing code is a massive undertaking ... How do you guys deal with scenarios such this one?
Thanks.
Hi robettinger,
if you haven't a transaction ID you should verify if it's possible to correlate events using host field (that you always have) and a duration (e.g. 5 seconds) or a starting and/or ending string.
e.g. in your example:
| transaction host startswith="Logon request from" endswith="Logon Denied:"
see all the transaction command option at http://docs.splunk.com/Documentation/Splunk/6.6.3/SearchReference/Transaction
Bye.
Giuseppe
Also, watch for events that overlap - like two or more users logging in at the same time. That is the best reason to change the logging to include a key (username, etc) so that you can separate the transaction events properly.