I'm trying to correlate events with the transaction function.
This is my search:
source="auditd"| transaction msg | stats values(auid) AS Users values(exe) AS Commands values(a1) AS par1 values(a2) AS par2 values(a3) AS par3 BY msg
My need is that I want to group two strings that are part of a same event (msg) and to get some parameters from one event and one from the other. Unfortunately the parameters have the same name in both the events (a0, a1, a2, ...).
How can I tell to Splunk to distinguish the a1 from the first event against the a1 from the second event?
Example: one correlate event based on the msg, but with 2 diffenet type.
I want to take the a1, a2, ... from the type=EXECVE and not the one from type=SYSCALL.
type=SYSCALL msg=audit(12/12/2012 08:37:06.190:17211) : arch=i386 syscall=execve success=yes exit=0 a0=9ba86d0 a1=9bad370 a2=9bad828 a3=0 items=2 ppid=10479 pid=24196 tty=pts0 ses=38 comm=cat exe=/bin/cat key=(null) type=EXECVE msg=audit(12/12/2012 08:37:06.190:17211) : argc=2 a0=cat a1=/etc/passwd
Do you know the order of the events, so for instance that the SYSCALL event comes before EXECVE (I'm guessing yes)? If so you can use the fact that when
transaction encounters multiple values for a field, it will create a multi-valued field out of them. By default this multi-valued field is ordered alphabetically, but by specifying
mvlist=t it will be ordered in the order the values were encountered. So you could do
... | transaction mvlist=t msg | eval a1_1=mvindex(a1,0) | eval a1_2=mvindex(a1,1) | ...
Great! I noticed just now how I talked about the
mvlist parameter but then totally forgot to actually put it into the example I gave - hope you didn't recreate my error 🙂 Anyways, I edited my answer now so that the transaction example is correct.