Splunk Search

Help with searching across 3 files where one file contains not obviously linkable transactions

mfrost8
Builder

I'm trying to construct a search containing data across 3 Juniper Steel-Belted Radius files. The first two files, sourcetyped as radius_act_log and radius_auth_log, are straight-forward CSV files with well-defined headers. I have extracted fields like User_Name for instance, allowing me to search with User_Name="Bob" for instance.

The third file, sourcetyped as radius_log, contains interleaved session information and this file is where the "meat" of our searching will hopefully be. Contents of the radius_log sourcetype look like this

...
05/18/2011 09:43:02 (17904)-----------------------------------------------------------
05/18/2011 09:43:02 (17904)Accounting Request
05/18/2011 09:43:02 (17904)Received From: ip=1.2.3.4 port=41234
05/18/2011 09:43:02 (17904)Packet : Code = 0x4 ID = 0x40
05/18/2011 09:43:02 (17904)Client Name = 3.4.5.6 Dictionary Name = Radius.dct
05/18/2011 09:43:02 (17904)Vector =
05/18/2011 09:43:02 (17904)000: dff32d66 b0f78418 a85647c8 043609fb |..-f.....VG..6..|
05/18/2011 09:43:02 (17904)Parsed Packet =
05/18/2011 09:43:02 (17904)NAS-Identifier : String Value = 3.4.5.6
05/18/2011 09:43:02 (17904)**User-Name : String Value = Bob**
05/18/2011 09:43:02 (17904)NAS-IP-Address : IPAddress = 3.4.5.6
05/18/2011 09:43:02 (17904)NAS-Port : Integer Value = 252151
05/18/2011 09:43:02 (17904)Framed-IP-Address : IPAddress = 2.3.4.5
05/18/2011 09:43:02 (17904)3GPP2-Correlation-ID : String Value = 9zrsaI2e
05/18/2011 09:43:02 (17904)Calling-Station-Id : String Value = 310002346738412
05/18/2011 09:43:02 (17904)Acct-Status-Type : Integer Value = 1
05/18/2011 09:43:02 (17904)Acct-Session-Id : String Value = 423ADCBE
05/18/2011 09:43:02 (17904)Funk-Source-IP-Address : IPAddress = 1.2.3.4
05/18/2011 09:43:02 (17904)-----------------------------------------------------------
05/18/2011 09:43:02 (17904)Determining if this radius should act as a proxy
05/18/2011 09:43:02 (17904)Sending accounting response
05/18/2011 09:43:02 (17904)Created new session record without old-style Class attribute for user Bob
05/18/2011 09:43:02 (17904)Accounting start contains ip address 2.3.4.5 currently in use
05/18/2011 09:43:02 (17904)Sending accounting response
05/18/2011 09:43:02 (17904)-----------------------------------------------------------
...

I can, of course, setup another field extraction to pull User_Name from the radius_log sourcetype as well. The trick here is that the user name appears only occasionally in radius_log. The number in parens, 17904 above, is the LogThreadId (also already extracted as a field) and that's what would link related events together. It's really their idea of a session, except that it's not a value that's logged in any other file. It's just a unique number they generate to help you see events relating to a particular session.

What I would like to be able to do is construct a search that will show me all activity by user Bob in the last 24 hours across all 3 files and similar kinds of searches. It seems to me that I need to identify the user name in radius_log, then look at what the LogThreadId field is for that user name in say the last 24 hours and return those (plus perhaps the results from the other 2 CSV files where it's just a simple User_Name="Bob" search). Or something like that. I'm just not sure how to do that.

I had toyed with the idea of having Splunk treat things from radius_log as a single event -- breaking on the "-------------" lines perhaps, but since each event has a separately logged date and time, that seemed kind of weird. In most cases where I see those, the time is identical but not always.

I'm hoping this is an easy one for someone who has better search skills than I.

Thanks

Tags (1)
0 Karma

Simeon
Splunk Employee
Splunk Employee

You probably need to create a transaction for each radius_log event. You can do this by using the 'transaction' command with your LogThreadId field:

sourcetype=radius_log | transaction field=LogThreadId maxspan=2s

After that is done, you now have a single 'event' that can be identified with the User Bob (just create a field extraction for the User Name which you have already done). Note that the transaction command can be expensive as it combines a lot of raw data.

sourcetype=radius_log | transaction field=LogThreadId maxspan=2s | search User_Name=Bob
0 Karma