Splunk Search

How to correlate several distinct events linked by multiple different fields without the transaction command?

MarioM
Motivator

I need help on correlating several distinct events and different fields (4 fields) linking to each events and doing it without the transaction command because of the performance cost.

event 1 --- field of interest 'msg' ie."msg=audit(1406101599.298:11965)" --- "source=/var/log/audit/audit.log"

node=nodesrv0001
type=PATH
msg=audit(1406101599.298:11965):
item=0 name="/etc/group"
inode=280905 dev=fd:01 mode=0100644
ouid=0 ogid=0 rdev=00:00
nametype=NORMAL

event 2 --- field of interest 'auid' ie."auid=4294967295" --- "source=/var/log/audit/audit.log"

node=nodesrv0001
type=SYSCALL
msg=audit(1406101599.298:11965):
arch=c000003e syscall=90 success=yes exit=0
a0=1bf1ce0 a1=81a4 a2=48ed57 a3=0
items=1
ppid=27177 pid=27230
auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
ses=4294967295
comm="vi" exe="/bin/vi"
key="Access-change"

event 3 --- field of interest 'pid' ie."pid=27016" --- "source=/var/log/audit/audit.log"

node=nodesrv0001
type=SYSCALL
msg=audit(1406101460.101:11730):
arch=c000003e syscall=2 success=yes exit=4
a0=495340 a1=1 a2=2 a3=8
items=1
ppid=27015 pid=27016
auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
ses=4294967295
comm="pblocald" exe="/usr/sbin/pblocald"
key="logins"

event 4 --- (the link with previous event is pblocald[27016] extracted and aliased to 'pid') --- field of interest 'uniqueid' ie."uniqueid: 0a411a8c53cf67cd5202" --- "source=/var/log/audit/audit.log"

2014-07-23T08:44:20.102759+01:00
nodesrv0001
pblocald[27016]:
pblocald[27015]:
PowerBroker started bash on 2014/07/23 at 8:44,
uniqueid: 0a411a8c53cf67cd5202
psmcmapid: 0a4b4a2453cf67cd3ADF

event 5 ---

2014-07-23T08:44:19.952255+01:00
nodesrv0001
pblocald8.0.0-10:
pblocald[27015]:
PowerBroker accepted bash on 2014/07/23 at 08:44:13 BST,
submitted by sa_jdoe on srv0094
run by root on nodesrv0001
Logserver: logsrv0001 logsrv0002
iolog:/apps/powerbroker/iologs/2014/07/23/084419.sa_jdoe.nodesrv0001.root.bash
ticket_string:
uniqueid: 0a411a8c53cf67cd5202
psmcmapid: 0a4b4a2453cf67cd3ADF
0 Karma

MuS
Legend

Hi MarioM,

usually I use stats, chart, streamstats or eventstats for something like this. Also take a look at this post to get some examples http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...