- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Correlating two logs help, newbie
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correlating two logs help, newbie
Hi,
Ok at this point I can barely spell SPLUNK but I have gone through a bootcamp course and I'm trying to pull off my first assignment to correlate between two logs.
I have login data like username, AssignedIP, time/date in one log. I have outbound src_ip dest_ip traffic and time/date in another log. I know when a user is assigned an IP but I don't know when they stop other than seeing a new event assigning the IP to a different user.
AssignedIP = src_ip, is the link across the data sources but only within the time period that the user had the IP address.
I have two use cases:
1. Show me all the traffic for a particular user
2. Find the user that generated this traffic
I may have to specify the time and date and not just the last X days/weeks etc.
Can someone point me in the right direction how to build this search and correlate the data? Is this is better as a subsearch or a transaction. I know transactions are more costly but not sure when they are better to use.
Thanks for any help. Sorry for the newbie questions
Curt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @curtgran,
as @fk319 said, you could use the transaction command, but this is a very slow command, so I hint to use it only if you haven't any other solution.
I usually use stats command correlating events by the common key (in your sample AssignedIP and src_ip).
Something like this:
(search_one) OR (search_two)
| rename src_ip AS AssignedIP
| stats values(username) AS username earliest(_time) AS _time values(dest_ip) AS dest_ip values(traffic) AS traffic BY AssignedIPI listed all the fields you have, obviously you can use only the ones you need in your use cases.
ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I have looked at transactions. And I've been trying to figure out how it works. I've looked at a lot of examples but they all seem to use the same log where I'm trying to go across multiple logs. My biggest issue is figuring out what exactly you put in the transaction command to tie fields together.
Maybe it's because the fields are not the same name in each log. If that's the case I have to figure out how to either redefine, rename or create duplicates with the same name.
Curt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! I am looking into the same problem (correlating data between two different log files). Did you find a solution to your problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search
I suppose you knew that already, what you need is to have a common field between the logs. You will need to the rex command to help you along here. Usually there is some identifier, like ID or client ip.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at the command transaction?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
