Hi,
I am trying correlate data from ip watchlist app and events of firewall.
the search: (index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist)|transaction dest_ip,offending_ip maxspan=1d connected=f eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1
but isn´t working.
any idea?
thanks
OK, but you haven't shown us what's wrong with these results, ie what results you really were expecting and why.
I find using stats
is a much better method for correlating data based on common fields.
stats list(some_field) AS all_values values(other_field) AS distinct_values by transaction_field
You can then pipe to things like mvexpand or eval's with multivalue functions to extract / count the data.
hth
thanks brettcave,
I will try and inform you
thanks, i will try
You can also do something like this to get the IP into a single field from both event types if it works better for you:
... | eval ip=case(eventtype="cisco",dest_ip,eventtype="ip_watch",offending_ip) | chart c(eval(eventtype="cisco")) as number_of_cisco_events c(eval(eventtype="ip_watchlist")) as number_of_watchlist_events over day by IP
(index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist) | eval day=strftime(_time,"%F") | chart c as number_of_events list(offending_ip) as offending_ips over day by dest_ip
use chart <aggr_func> over <field-x> by <field-y>
, or stats <aggr_func> by <field-x>,<field-y>
. Chart also supports the span
parameter if you don't want to manually set the day using eval like I did - play around with it to get the exact results you are looking for.
Hi brettcave,
I don´t know how do it, can you put an example?
thanks
regards
the results
Aug 23 13:03:05 %ASA-6-302014: Teardown TCP connection 924351437 for Inside:x.x.x.x/1081 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeout
vie ago 23 13:03:26 CEST 2013 splunk-host=splunk offending-ip=61.191.188.70
Aug 23 13:03:26 10.1.233.1 %ASA-6-302014: Teardown TCP connection 924355686 for Inside:x.x.x.x/1084 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeouthost=x.x.x.x Options|
host=SPLUNK Options|
sourcetype=ciscoasa Options|
sourcetype=ipwatchlist Options|
source=/opt/splunk/etc/apps/splunkipwatchlist/bin/getbadip.sh
thanks
"Isn't working" isn't very helpful. Please tell us more about the exact results, and what troubleshooting process you have gone through.