I am trying correlate data from ip watchlist app and events of firewall.
the search: (index=test sourcetype=ciscoasa teardown) OR (index=test sourcetype=ipwatchlist)|transaction destip,offendingip maxspan=1d connected=f eval countsourcetypes=mvcount(sourcetype)|where countsourcetypes>1
but isn´t working.
Aug 23 13:03:05 %ASA-6-302014: Teardown TCP connection 924351437 for Inside:x.x.x.x/1081 to Internet:22.214.171.124/80 duration 0:00:30 bytes 0 SYN Timeout
vie ago 23 13:03:26 CEST 2013 splunk-host=splunk offending-ip=126.96.36.199
Aug 23 13:03:26 10.1.233.1 %ASA-6-302014: Teardown TCP connection 924355686 for Inside:x.x.x.x/1084 to Internet:188.8.131.52/80 duration 0:00:30 bytes 0 SYN Timeouthost=x.x.x.x Options|
I find using
stats is a much better method for correlating data based on common fields.
stats list(some_field) AS all_values values(other_field) AS distinct_values by transaction_field
You can then pipe to things like mvexpand or eval's with multivalue functions to extract / count the data.
(index=test sourcetype=ciscoasa teardown) OR (index=test sourcetype=ipwatchlist) | eval day=strftime(time,"%F") | chart c as numberofevents list(offendingip) as offendingips over day by destip
chart <aggr_func> over <field-x> by <field-y>, or
stats <aggr_func> by <field-x>,<field-y>. Chart also supports the
span parameter if you don't want to manually set the day using eval like I did - play around with it to get the exact results you are looking for.
You can also do something like this to get the IP into a single field from both event types if it works better for you:
... | eval ip=case(eventtype="cisco",dest_ip,eventtype="ip_watch",offending_ip) | chart c(eval(eventtype="cisco")) as number_of_cisco_events c(eval(eventtype="ip_watchlist")) as number_of_watchlist_events over day by IP