Splunk Search
Highlighted

Correlate events, get parameters from only one of the events

Hi *,

I'm trying to correlate events with the transaction function.
This is my search:

source="auditd"| transaction msg | stats values(auid) AS Users values(exe) AS Commands values(a1) AS par1 values(a2) AS par2 values(a3) AS par3 BY msg

My need is that I want to group two strings that are part of a same event (msg) and to get some parameters from one event and one from the other. Unfortunately the parameters have the same name in both the events (a0, a1, a2, ...).

How can I tell to Splunk to distinguish the a1 from the first event against the a1 from the second event?


Example: one correlate event based on the msg, but with 2 diffenet type.
I want to take the a1, a2, ... from the type=EXECVE and not the one from type=SYSCALL.

   type=SYSCALL msg=audit(12/12/2012 08:37:06.190:17211) : arch=i386 syscall=execve success=yes exit=0 a0=9ba86d0 a1=9bad370 a2=9bad828 a3=0 items=2 ppid=10479 pid=24196 tty=pts0 ses=38 comm=cat exe=/bin/cat key=(null) 
    type=EXECVE msg=audit(12/12/2012 08:37:06.190:17211) : argc=2 a0=cat a1=/etc/passwd 

Thanks,

HS

Highlighted

Re: Correlate events, get parameters from only one of the events

Legend

Do you know the order of the events, so for instance that the SYSCALL event comes before EXECVE (I'm guessing yes)? If so you can use the fact that when transaction encounters multiple values for a field, it will create a multi-valued field out of them. By default this multi-valued field is ordered alphabetically, but by specifying mvlist=t it will be ordered in the order the values were encountered. So you could do

... | transaction mvlist=t msg | eval a1_1=mvindex(a1,0) | eval a1_2=mvindex(a1,1) | ...

View solution in original post

Highlighted

Re: Correlate events, get parameters from only one of the events

Thanks! It works! I tried it before, but I put the eval(mvindex) after the stats ....

0 Karma
Highlighted

Re: Correlate events, get parameters from only one of the events

Legend

Great! I noticed just now how I talked about the mvlist parameter but then totally forgot to actually put it into the example I gave - hope you didn't recreate my error 🙂 Anyways, I edited my answer now so that the transaction example is correct.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.