How can I group and aggregate and filter all event...

cjoelly · ‎06-18-2024

Coming from SQL, I want to do stuff like GROUP BY and HAVING ...

The data is available with a transaction identifier.Grouing should be done by that transaction identifier.

Per transaction, I want to check a few attributes, if their values are unique within each treansaction.

In SQL terms:
select transaction_id from index group by transaction_id

having count(distinct attr1) = 1 and count(distinct attr2) = 1 and count(distinct attr3) = 1

From that table of transaction_ids, a join to the same index should be done to filter the events.

How can I achieve this with Splunk query?

cjoelly · ‎06-18-2024

We changed our approach, generate a different structure in Splunk using stats and thus we do not need to read the raw events anymore.

cjoelly · ‎06-18-2024

I dont know if my approach is the right way to go. As I learned, that JOINs allow only 50.000 records to be joined. And I expect way more events to be joined to the filtered transactions.

ITWhisperer · ‎06-18-2024

You could try using eventstats to tag each event with the aggregated value for the transaction it is a part of and use this to filter the events.

How can I group and aggregate and filter all events based on those aggregated attributes?

stats

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?