Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Connecting events that don't have a common field

robettinger
Explorer
‎09-08-2017 01:07 AM

Hi guys,

more like a generic question: how do you make sense of events which are not necessarily linked by a common field? For example, one of our applications produces logs that generate many events/lines such as:

[08/Sep/2017:09:20:20 +0200] Logon request from 10.10.10.3
[08/Sep/2017:09:20:21 +0200] Object 662737354 deleted
[08/Sep/2017:09:20:21 +0200] User X77262 trying to connect ...
[08/Sep/2017:09:20:22 +0200] Logon Denied: Bad password

So lines 1, 3 and 4 represent a logon request but I cannot "transact" them as there is no common field. Or can I?

In a perfect world session IDs would be introduced in the logs OR more complete log entries, but changing code is a massive undertaking ... How do you guys deal with scenarios such this one?

Thanks.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-08-2017 01:13 AM

Hi robettinger,
if you haven't a transaction ID you should verify if it's possible to correlate events using host field (that you always have) and a duration (e.g. 5 seconds) or a starting and/or ending string.
e.g. in your example:

| transaction host startswith="Logon request from" endswith="Logon Denied:"

see all the transaction command option at http://docs.splunk.com/Documentation/Splunk/6.6.3/SearchReference/Transaction
Bye.
Giuseppe

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎09-08-2017 09:51 AM

Also, watch for events that overlap - like two or more users logging in at the same time. That is the best reason to change the logging to include a key (username, etc) so that you can separate the transaction events properly.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...