Splunk Search

Correlate three events with differing properties

AndreasBalster
Explorer

I need to correlate three events of different type which have 1 single property in common, respectively:

<TS> type_name=AUDIT_PATH callid=123 exe=/etc/sudoers.work
<TS> type_name=AUDIT_SYSCALL callid=123 session=456
<TS> type_name=AUDIT_USER_START session=456 acct=root

My tries so far have been unsuccessful and I'm running out of ideas, how can I do this?

P.S. I'm trying to not use the transaction command

0 Karma

somesoni2
Revered Legend

What is your expected output out of this? More information can help get better answers.

0 Karma

MuS
Legend

Hi AndreasBalster,

you can use streamstats for this. Given this log file:

<TS> type_name=AUDIT_PATH callid=123 exe=/etc/sudoers.work
<TS> type_name=AUDIT_SYSCALL callid=123 session=456
<TS> type_name=AUDIT_USER_START session=456 acct=root
<TS> type_name=AUDIT_PATH callid=124 exe=/etc/foo.work
<TS> type_name=AUDIT_SYSCALL callid=124 session=457
<TS> type_name=AUDIT_USER_START session=457 acct=root
<TS> type_name=AUDIT_PATH callid=125 exe=/etc/boo.work
<TS> type_name=AUDIT_SYSCALL callid=125 session=458
<TS> type_name=AUDIT_USER_START session=458 acct=root
<TS> type_name=AUDIT_PATH callid=126 exe=/etc/sudoers.work
<TS> type_name=AUDIT_SYSCALL callid=126 session=459
<TS> type_name=AUDIT_USER_START session=459 acct=root2
<TS> type_name=AUDIT_PATH callid=127 exe=/etc/foo.work
<TS> type_name=AUDIT_SYSCALL callid=127 session=460
<TS> type_name=AUDIT_USER_START session=460 acct=root2
<TS> type_name=AUDIT_PATH callid=128 exe=/etc/bla.work
<TS> type_name=AUDIT_SYSCALL callid=128 session=461
<TS> type_name=AUDIT_USER_START session=461 acct=root2
<TS> type_name=AUDIT_PATH callid=129 exe=/etc/sudoers.work
<TS> type_name=AUDIT_SYSCALL callid=129 session=462
<TS> type_name=AUDIT_USER_START session=462 acct=root2

I was able to use this search and got back a nice table of callid, session, exe and acct

source=/var/tmp/myfoo type_name=AUDIT_PATH OR type_name=AUDIT_USER_START OR type_name=AUDIT_SYSCALL | streamstats current=f last(callid) AS last_callid last(session) AS last_session last(acct) AS last_acct  | where callid=last_callid | rename last_session AS session last_acct AS acct | table callid session acct exe

alt text

Since you got millions of events I cannot tell if this will perform at a good rate or if it will work at all, since I used the above test file and not your real world data.

hope this helps ...

cheers, MuS

0 Karma

AndreasBalster
Explorer

Sadly, this approach seems to be dependent on the order of events.. My data gets correlated in a non-matching fashion (it puts exes together with users that didn't call those). But many thanks for your reply!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried something like this?

source=foo type_name=AUDIT_PATH | join callid [search type_name=AUDIT_SYSCALL] | join session [search type_name=AUDIT_USER_START]
---
If this reply helps you, Karma would be appreciated.
0 Karma

AndreasBalster
Explorer

This produces something, but I cannot verify its correctness or completeness. Judging by the warning message Splunk gives me (Subsearch exceeded 50000 events, using only first 50000) I think it will be incomplete. Thank you for your reply nonetheless!

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...