Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Correlate data with transaction

fahrenheit
New Member
‎08-23-2013 03:34 AM

Hi,

I am trying correlate data from ip watchlist app and events of firewall.

the search: (index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist)|transaction dest_ip,offending_ip maxspan=1d connected=f eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1

but isn´t working.

any idea?

thanks

0 Karma
Reply

Ayn
Legend
‎08-26-2013 12:23 AM

OK, but you haven't shown us what's wrong with these results, ie what results you really were expecting and why.

0 Karma
Reply

brettcave
Builder
‎08-23-2013 04:25 AM

I find using stats is a much better method for correlating data based on common fields. 

stats list(some_field) AS all_values values(other_field) AS distinct_values by transaction_field

You can then pipe to things like mvexpand or eval's with multivalue functions to extract / count the data.

hth

0 Karma
Reply

fahrenheit
New Member
‎08-29-2013 04:12 AM

thanks brettcave,

I will try and inform you

0 Karma
Reply

fahrenheit
New Member
‎08-26-2013 05:47 AM

thanks, i will try

0 Karma
Reply

brettcave
Builder
‎08-26-2013 02:13 AM

You can also do something like this to get the IP into a single field from both event types if it works better for you:
... | eval ip=case(eventtype="cisco",dest_ip,eventtype="ip_watch",offending_ip) | chart c(eval(eventtype="cisco")) as number_of_cisco_events c(eval(eventtype="ip_watchlist")) as number_of_watchlist_events over day by IP

0 Karma
Reply

brettcave
Builder
‎08-26-2013 02:11 AM

(index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist) | eval day=strftime(_time,"%F") | chart c as number_of_events list(offending_ip) as offending_ips over day by dest_ip

use chart <aggr_func> over <field-x> by <field-y>, or stats <aggr_func> by <field-x>,<field-y>. Chart also supports the span parameter if you don't want to manually set the day using eval like I did - play around with it to get the exact results you are looking for.

0 Karma
Reply

fahrenheit
New Member
‎08-26-2013 12:13 AM

Hi brettcave,

I don´t know how do it, can you put an example?

thanks

regards

0 Karma
Reply

fahrenheit
New Member
‎08-23-2013 04:10 AM

the results

Aug 23 13:03:05 %ASA-6-302014: Teardown TCP connection 924351437 for Inside:x.x.x.x/1081 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeout
vie ago 23 13:03:26 CEST 2013 splunk-host=splunk offending-ip=61.191.188.70
Aug 23 13:03:26 10.1.233.1 %ASA-6-302014: Teardown TCP connection 924355686 for Inside:x.x.x.x/1084 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeouthost=x.x.x.x Options|
host=SPLUNK Options|
sourcetype=ciscoasa Options|
sourcetype=ipwatchlist Options|
source=/opt/splunk/etc/apps/splunkipwatchlist/bin/getbadip.sh

thanks

0 Karma
Reply

Ayn
Legend
‎08-23-2013 03:50 AM

"Isn't working" isn't very helpful. Please tell us more about the exact results, and what troubleshooting process you have gone through.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...