Splunk Search

How do you correlate data across two sources with time comparison between events?

blascola
New Member

I want to create an alert for when a user logs in without badging a door within 8 hours prior. My login logs and door logs are in two separate indexes and source types. I created an alias in both source types so the account name field matches. Is there a way to do a time comparison within an eval similar to eval login=if(login to door time >= 8hrs,bad,good)?

Tags (1)
0 Karma

laurie_gellatly
Communicator

http://wiki.splunk.com/Community:UseSplunkForEventCorrelation might help and/or consider using stats.

You might be able to improve on this with a single stats command, but at least this should work and give you the ability to specify different time ranges per index:

index=logins
| stats max(_time) as lt by account 
| join account [ search index=door_time | stats min(_time) as ft by account | fields + ft account] 
| eval duration = lt-ft 
| table duration lt ft account

Assumes that 'account' is your user name that matches in both indexes.

...Laurie:{)

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...