Splunk Search

Correlation to search multiple ST for matching rexed values

Capttech
Explorer

Looking to build 1 correlation search to do the following:

Bring an extracted field name from 1 ST and search that field name across another ST.

If hits in both ST, do not alert. If only hits in the first ST, do alert.

Ideally, this would function similar to how $host$ can be used in a drill down to pull the host name, though I'm not sure this is possible for a correlation search. Is there a command to do a comparison like this?

So far I have the following returning results:
sourcetype=A | rex field=_raw "John\s+(?<endpoint>\w+)"
| append [| search sourcetype=B "Live" | rex field=_raw "Mike\s+(?<endpoint>\w+)"]

This does give me results from both indexes, but this is not correlating results from A to B (obviously). I have tried several commands (join, transaction, coalesce etc) and removed these failed attempts from the above for simplicity. I may have been using these commands incorrectly as well. 

TYIA

Labels (5)
0 Karma

Capttech
Explorer

After speaking to our local Splunk admin, what I am trying to do is not possible. So decided to break it into the 2 searches; 1 correlation search and then a drill down. Then we're building a playbook to auto-close the alert if the drill down finds hits. 

I was trying to build this alert to not hit SOAR and thus reduce resources on our Splunk instance, but this was not possible in this manner.

Capttech
Explorer

Thanks for the quick response.

So endpoint would be a rex'd field, but I want to search on the specific endpoint name from the first rex command. Also looking to correlate that specific endpoint name is present in both sourcetypes. End point is not an extracted field in either ST so needs to be rex'd out of both. The above may work if I was able to run it as  "| stats count by $endpoint$".

For an example: I could build the alert as
Correlation search:

sourcetype=A | rex field=_raw "John\s+(?<endpoint>\w+)"
| stats count by endpoint



Drill Down:

sourcetype=B "Live" | search $endpoint$


(In this case, the drill down would become a keyword search on the endpoint name rather than a rex'd field)

This would work and create an alert that would just need to be manually closed if validated by proving the same endpoint is present in both ST's. Would like to reduce this noise if possible. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not entirely clear what the expected output should be, but perhaps this helps.  It counts the number of sourcetypes for each endpoint and filters out events where endpoint is in both sourcetypes.

sourcetype=A 
| rex field=_raw "John\s+(?<endpoint>\w+)"
| append [| search sourcetype=B "Live" 
  | rex field=_raw "Mike\s+(?<endpoint>\w+)"]
| stats count by endpoint
| where count = 1
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...