Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Correlation to search multiple ST for matching rexed values

Capttech
Explorer
‎10-31-2023 01:34 PM

Looking to build 1 correlation search to do the following:

Bring an extracted field name from 1 ST and search that field name across another ST.

If hits in both ST, do not alert. If only hits in the first ST, do alert.

Ideally, this would function similar to how $host$ can be used in a drill down to pull the host name, though I'm not sure this is possible for a correlation search. Is there a command to do a comparison like this?

So far I have the following returning results:
sourcetype=A | rex field=_raw "John\s+(?<endpoint>\w+)"
| append [| search sourcetype=B "Live" | rex field=_raw "Mike\s+(?<endpoint>\w+)"]

This does give me results from both indexes, but this is not correlating results from A to B (obviously). I have tried several commands (join, transaction, coalesce etc) and removed these failed attempts from the above for simplicity. I may have been using these commands incorrectly as well. 

TYIA

Labels (5)
0 Karma
Reply

Capttech
Explorer
‎11-02-2023 07:55 AM

After speaking to our local Splunk admin, what I am trying to do is not possible. So decided to break it into the 2 searches; 1 correlation search and then a drill down. Then we're building a playbook to auto-close the alert if the drill down finds hits. 

I was trying to build this alert to not hit SOAR and thus reduce resources on our Splunk instance, but this was not possible in this manner.

Reply

Capttech
Explorer
‎10-31-2023 03:14 PM

Thanks for the quick response.

So endpoint would be a rex'd field, but I want to search on the specific endpoint name from the first rex command. Also looking to correlate that specific endpoint name is present in both sourcetypes. End point is not an extracted field in either ST so needs to be rex'd out of both. The above may work if I was able to run it as  "| stats count by $endpoint$".

For an example: I could build the alert as
Correlation search:

sourcetype=A | rex field=_raw "John\s+(?<endpoint>\w+)"
| stats count by endpoint



Drill Down:

sourcetype=B "Live" | search $endpoint$


(In this case, the drill down would become a keyword search on the endpoint name rather than a rex'd field)

This would work and create an alert that would just need to be manually closed if validated by proving the same endpoint is present in both ST's. Would like to reduce this noise if possible. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-31-2023 01:43 PM

It's not entirely clear what the expected output should be, but perhaps this helps.  It counts the number of sourcetypes for each endpoint and filters out events where endpoint is in both sourcetypes.

sourcetype=A 
| rex field=_raw "John\s+(?<endpoint>\w+)"
| append [| search sourcetype=B "Live" 
  | rex field=_raw "Mike\s+(?<endpoint>\w+)"]
| stats count by endpoint
| where count = 1
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
li.common.scroll-to.top