Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Event correlation with specific event filterin...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
strangelaw
Explorer
06-18-2018
04:26 AM
I have following search:
index=pfsense OR index=otherindex verdict=pass | stats values(destip) AS fieldA, values(otherfield) AS fieldB, values(_time) as fieldC | mvexpand fieldA | mvexpand fieldC | eval matching=if(match(fieldA,fieldB),"1","0") | where matching > 0 | eval fieldC=strftime(fieldC,"%d/%m/%y %H:%M:%S") | table fieldA, fieldB, fieldC, verdict | rename verdict AS "Firewall verdict", fieldA AS "Destination IP", fieldB AS "otherfield", fieldC AS "Event time"
My problem is that verdict (as pass or block) which should be per search now only for "pass" does not follow till table. If I remove the verdict - it works, just without telling to select only passed events. The fields do exist.
Any idea how to make search working so that I can filter the whole search by verdict?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
poete
Builder
06-19-2018
03:34 AM
Hello, did you try this?
index=pfsense OR **(**index=otherindex **AND** verdict=pass**)** | stats values(destip) AS fieldA, values(otherfield) AS fieldB, values(_time) as fieldC | mvexpand fieldA | mvexpand fieldC | eval matching=if(match(fieldA,fieldB),"1","0") | where matching > 0 | eval fieldC=strftime(fieldC,"%d/%m/%y %H:%M:%S") | table fieldA, fieldB, fieldC, verdict | rename verdict AS "Firewall verdict", fieldA AS "Destination IP", fieldB AS "otherfield", fieldC AS "Event time"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
poete
Builder
06-19-2018
03:34 AM
Hello, did you try this?
index=pfsense OR **(**index=otherindex **AND** verdict=pass**)** | stats values(destip) AS fieldA, values(otherfield) AS fieldB, values(_time) as fieldC | mvexpand fieldA | mvexpand fieldC | eval matching=if(match(fieldA,fieldB),"1","0") | where matching > 0 | eval fieldC=strftime(fieldC,"%d/%m/%y %H:%M:%S") | table fieldA, fieldB, fieldC, verdict | rename verdict AS "Firewall verdict", fieldA AS "Destination IP", fieldB AS "otherfield", fieldC AS "Event time"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
poete
Builder
06-19-2018
03:35 AM
( is a bold parenthesis)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
strangelaw
Explorer
08-27-2018
03:24 PM
yepyep, this is now working. Thanks!
Get Updates on the Splunk Community!
See just what you’ve been missing | Observability tracks at Splunk University
Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...
Weezer at .conf25? Say it ain’t so!
Hello Splunkers,
The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...
How SC4S Makes Suricata Logs Ingestion Simple
Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...
