Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I string certain searches together to get a list of user IP addresses doing a particular query?

dangerusty
Engager
‎03-07-2018 11:18 AM

I have connection logs for a database. I need to identify users making certain queries. I'd like to:

  1. Search for a string identifying the query
  2. Check that whole transaction for the original "open connection" event to get the IP address
  3. The IP address is a load balancer, so I have to check that IP/port in the load balancer logs to get the actual user IP address

How do I string these searches together to get a list of user IP addresses doing a particular query? I suspect the "transaction" command is key here, but I haven't found a clue in the examples.

0 Karma
Reply

DalJeanis
Legend
‎03-07-2018 11:57 AM

(1) Transaction is very resource intensive and there is almost always a better way. If you post the non-confidential portions of the searches here, then we can be of more help.

(2) Often, this kind of thing will be much simpler if it is in a dashboard. That way, the time of the event can be detected from the first search and used to qualify the second and/or third searches. Otherwise, you end up coding something that has to search a massive amount of data for very little value.

0 Karma
Reply

dangerusty
Engager
‎03-07-2018 01:00 PM

Sourcetype="ldap" "filter=\"(id=1)\""

[07/Mar/2018:14:01:11 -0600] - OPERATION - INFO - conn=12345 op=123 msgid=456 SEARCH base="example.com" scope=2 controls="" filter="(id=1)" attrs="*"

Sourcetype="ldap" conn=12345 client

[07/Mar/2018:14:00:37 -0600] - CONNECT - INFO - conn=12345 client=10.0.0.2:56789

Sourcetype="loadbalancer" "10.0.0.2|56789"

Client_Acpt | Wed Mar 07 2018 14:00:37 | 10.0.0.5|56789| VIP | 10.0.0.4|636 | SNAT_IP | 10.0.0.2|56789 | Node | 10.0.0.3|636

I want a list of user IP addresses (such as 10.0.0.5 in this case) that searched with filter="(id=1)".

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...