Splunk Search

How to correlate several distinct events linked by multiple different fields without the transaction command?

MarioM
Motivator

I need help on correlating several distinct events and different fields (4 fields) linking to each events and doing it without the transaction command because of the performance cost.

event 1 --- field of interest 'msg' ie."msg=audit(1406101599.298:11965)" --- "source=/var/log/audit/audit.log"

node=nodesrv0001
type=PATH
msg=audit(1406101599.298:11965):
item=0 name="/etc/group"
inode=280905 dev=fd:01 mode=0100644
ouid=0 ogid=0 rdev=00:00
nametype=NORMAL

event 2 --- field of interest 'auid' ie."auid=4294967295" --- "source=/var/log/audit/audit.log"

node=nodesrv0001
type=SYSCALL
msg=audit(1406101599.298:11965):
arch=c000003e syscall=90 success=yes exit=0
a0=1bf1ce0 a1=81a4 a2=48ed57 a3=0
items=1
ppid=27177 pid=27230
auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
ses=4294967295
comm="vi" exe="/bin/vi"
key="Access-change"

event 3 --- field of interest 'pid' ie."pid=27016" --- "source=/var/log/audit/audit.log"

node=nodesrv0001
type=SYSCALL
msg=audit(1406101460.101:11730):
arch=c000003e syscall=2 success=yes exit=4
a0=495340 a1=1 a2=2 a3=8
items=1
ppid=27015 pid=27016
auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3
ses=4294967295
comm="pblocald" exe="/usr/sbin/pblocald"
key="logins"

event 4 --- (the link with previous event is pblocald[27016] extracted and aliased to 'pid') --- field of interest 'uniqueid' ie."uniqueid: 0a411a8c53cf67cd5202" --- "source=/var/log/audit/audit.log"

2014-07-23T08:44:20.102759+01:00
nodesrv0001
pblocald[27016]:
pblocald[27015]:
PowerBroker started bash on 2014/07/23 at 8:44,
uniqueid: 0a411a8c53cf67cd5202
psmcmapid: 0a4b4a2453cf67cd3ADF

event 5 ---

2014-07-23T08:44:19.952255+01:00
nodesrv0001
pblocald8.0.0-10:
pblocald[27015]:
PowerBroker accepted bash on 2014/07/23 at 08:44:13 BST,
submitted by sa_jdoe on srv0094
run by root on nodesrv0001
Logserver: logsrv0001 logsrv0002
iolog:/apps/powerbroker/iologs/2014/07/23/084419.sa_jdoe.nodesrv0001.root.bash
ticket_string:
uniqueid: 0a411a8c53cf67cd5202
psmcmapid: 0a4b4a2453cf67cd3ADF
0 Karma

MuS
Legend

Hi MarioM,

usually I use stats, chart, streamstats or eventstats for something like this. Also take a look at this post to get some examples http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...