Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Event correlation

miguel1423
Explorer
‎09-28-2020 02:14 AM

Hello,

I would like to display some VPN informations in splunk like username, host information, session id. My problem is that I cannot display username and host information in the same table, the user field doesn't exist??

below the search that I did.

I search for user with specifique application use and I try to catch the username, session_id and client_info_host but I get nothing

 

 

 

 

 

index="index_X" partition="/Common/XXXXXXXXXXXX:Common" | stats count by user session_id client_info_host | table session_id user client_info_host

 

 

 

 

 

 

If I remove the field "client_info_host" I get the result below. 

 

 

 

 

 

index="index_X" partition="/Common/XXXXXXXXX:Common" | stats count by user session_id | table session_id user client_info_host

 

 

 

 

 

miguel1423_0-1601283625714.png

 

If I filter only with the field "client_info_host" I don't get the value username on the filed with this event.

miguel1423_2-1601284048156.png

 

But for all events the commune value is the session_id, How can I collerate all fields from session_id ?

 

Regards,

 

Labels (5)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-28-2020 02:34 AM

Hi @miguel1423,

after a stats command you have only the fields in the stats, in your first case: user, session_id, client_info_host.

In the second and third example you don't use some fields in the BY clause, for this reason you don't have in the following table.

If you want them, you have to put them in the stats command, e.g. using values option, something like this:

index="index_X" partition="/Common/XXXXXXXXX:Common" 
| stats values(client_info_host) AS client_info_host count by user session_id
| table session_id user client_info_host

Ciao.

Giuseppe

0 Karma
Reply

miguel1423
Explorer
‎09-28-2020 03:29 AM

Hello thank you for your reply,

I tried your suggestion but I get the username and session id but not the client_info host 😕 😭

miguel1423_0-1601288850564.png

 

 

P.S: The  client_info host data is not in the same event that the username, but the session id is in all events.

Regards,

Miguel

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-28-2020 04:56 AM

Hi @miguel1423,

sorry I didn't see that there's a space between "client_info" and "host": are you meaning two fields or one field with space between?

Anyway, the approach is the one I described:

use values(field) AS field for all the fields that you haven't in BY clause and you want in table.

Beware to correctly write the field names (they are case sensistive).

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 03:32 AM

It looks like client_info_host hasn't been extracted. Can you find an event with this field? Does it also have the user and session id field?

index="index_X" partition="/Common/XXXXXXXXXXXX:Common" | stats count values(client_info_host) as client_info_host values(user) as user by session_id | table session_id user client_info_host
0 Karma
Reply

miguel1423
Explorer
‎09-28-2020 03:36 AM

Hello Thank you to answer,

Yes I can find event with this field but the username isn't in the same event. The only same value that I can find in all event is the session id field

 

Regards,

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 03:40 AM

So did you try the query I posted?

index="index_X" partition="/Common/XXXXXXXXXXXX:Common" 
| stats count values(client_info_host) as client_info_host values(user) as user by session_id 
| table session_id user client_info_host

This stats should "join" these events by session_id giving you the values of client_info_host and user for each session_id

0 Karma
Reply

miguel1423
Explorer
‎09-28-2020 03:56 AM

Hello,

Cool, yes it's work thank you 😁 if I want tu show the connexion time Do I need tu insert the field "_time" after the "by session_id" ? and in the table

 

Regards

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 04:05 AM

No, but you could add earliest(_time) as session_start

index="index_X" partition="/Common/XXXXXXXXXXXX:Common" 
| stats count values(client_info_host) as client_info_host values(user) as user earliest(_time) as session_start by session_id 
| table session_id user client_info_host session_start

If you do something similar with latest(_time) as session_end you could calculate the duration of the session, if that is what you are after 

0 Karma
Reply

miguel1423
Explorer
‎09-28-2020 06:29 AM

Hi,

I have a last request, now I'm going to try to get a specific message_id and his value "message"

I added the value in the stats count value as below but I get all message and message ID I can't sort by message id with the field "where" Do you have any idea about that ?

 

index="index_XX" partition="/Common/XXXXXXXX:Common" 
| stats count values(client_info_host) as client_info_host values(user) as user values(message) as message values(message_id) as message_id  by session_id 
| dedup user
| where message_id="0505" 
| table session_id user client_info_host message_id message

 

miguel1423_0-1601299790594.png

 

 

Regards,

 

Miguel

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 02:33 AM 
index="index_X" partition="/Common/XXXXXXXXXXXX:Common" | stats count values(client_info_host) as client_info_host by user session_id | table session_id user client_info_host
0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...