Looking to build 1 correlation search to do the following:
Bring an extracted field name from 1 ST and search that field name across another ST.
If hits in both ST, do not alert. If only hits in the first ST, do alert.
Ideally, this would function similar to how $host$ can be used in a drill down to pull the host name, though I'm not sure this is possible for a correlation search. Is there a command to do a comparison like this?
So far I have the following returning results:
sourcetype=A | rex field=_raw "John\s+(?<endpoint>\w+)"
| append [| search sourcetype=B "Live" | rex field=_raw "Mike\s+(?<endpoint>\w+)"]
This does give me results from both indexes, but this is not correlating results from A to B (obviously). I have tried several commands (join, transaction, coalesce etc) and removed these failed attempts from the above for simplicity. I may have been using these commands incorrectly as well.
TYIA
After speaking to our local Splunk admin, what I am trying to do is not possible. So decided to break it into the 2 searches; 1 correlation search and then a drill down. Then we're building a playbook to auto-close the alert if the drill down finds hits.
I was trying to build this alert to not hit SOAR and thus reduce resources on our Splunk instance, but this was not possible in this manner.
Thanks for the quick response.
So endpoint would be a rex'd field, but I want to search on the specific endpoint name from the first rex command. Also looking to correlate that specific endpoint name is present in both sourcetypes. End point is not an extracted field in either ST so needs to be rex'd out of both. The above may work if I was able to run it as "| stats count by $endpoint$".
For an example: I could build the alert as
Correlation search:
sourcetype=A | rex field=_raw "John\s+(?<endpoint>\w+)"
| stats count by endpoint
Drill Down:
sourcetype=B "Live" | search $endpoint$
(In this case, the drill down would become a keyword search on the endpoint name rather than a rex'd field)
This would work and create an alert that would just need to be manually closed if validated by proving the same endpoint is present in both ST's. Would like to reduce this noise if possible.
It's not entirely clear what the expected output should be, but perhaps this helps. It counts the number of sourcetypes for each endpoint and filters out events where endpoint is in both sourcetypes.
sourcetype=A
| rex field=_raw "John\s+(?<endpoint>\w+)"
| append [| search sourcetype=B "Live"
| rex field=_raw "Mike\s+(?<endpoint>\w+)"]
| stats count by endpoint
| where count = 1