Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlate events, get parameters from only one of the events

horizonsecurity
Explorer
‎12-12-2012 02:26 AM

Hi *,

I'm trying to correlate events with the transaction function.
This is my search:

source="auditd"| transaction msg | stats values(auid) AS Users values(exe) AS Commands values(a1) AS par1 values(a2) AS par2 values(a3) AS par3 BY msg

My need is that I want to group two strings that are part of a same event (msg) and to get some parameters from one event and one from the other. Unfortunately the parameters have the same name in both the events (a0, a1, a2, ...).

How can I tell to Splunk to distinguish the a1 from the first event against the a1 from the second event?

Example: one correlate event based on the msg, but with 2 diffenet type.
I want to take the a1, a2, ... from the type=EXECVE and not the one from type=SYSCALL.

   type=SYSCALL msg=audit(12/12/2012 08:37:06.190:17211) : arch=i386 syscall=execve success=yes exit=0 a0=9ba86d0 a1=9bad370 a2=9bad828 a3=0 items=2 ppid=10479 pid=24196 tty=pts0 ses=38 comm=cat exe=/bin/cat key=(null) 
    type=EXECVE msg=audit(12/12/2012 08:37:06.190:17211) : argc=2 a0=cat a1=/etc/passwd

Thanks,

HS

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎12-12-2012 04:54 AM

Do you know the order of the events, so for instance that the SYSCALL event comes before EXECVE (I'm guessing yes)? If so you can use the fact that when transaction encounters multiple values for a field, it will create a multi-valued field out of them. By default this multi-valued field is ordered alphabetically, but by specifying mvlist=t it will be ordered in the order the values were encountered. So you could do

... | transaction mvlist=t msg | eval a1_1=mvindex(a1,0) | eval a1_2=mvindex(a1,1) | ...

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎12-12-2012 04:54 AM

Do you know the order of the events, so for instance that the SYSCALL event comes before EXECVE (I'm guessing yes)? If so you can use the fact that when transaction encounters multiple values for a field, it will create a multi-valued field out of them. By default this multi-valued field is ordered alphabetically, but by specifying mvlist=t it will be ordered in the order the values were encountered. So you could do

... | transaction mvlist=t msg | eval a1_1=mvindex(a1,0) | eval a1_2=mvindex(a1,1) | ...
Reply
Solved! Jump to solution

Ayn
Legend
‎12-12-2012 02:03 PM

Great! I noticed just now how I talked about the mvlist parameter but then totally forgot to actually put it into the example I gave - hope you didn't recreate my error 🙂 Anyways, I edited my answer now so that the transaction example is correct.

0 Karma
Reply
Solved! Jump to solution

horizonsecurity
Explorer
‎12-12-2012 05:56 AM

Thanks! It works! I tried it before, but I put the eval(mvindex) after the stats ....

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...