Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to do a correlation between two sourcetypes?

kestasm
Path Finder
‎02-19-2015 02:01 PM

Hello I am looking for a way to do a correlation and search between two sourcetypes. Here is what I came up with so far:

(sourcetype="sep:ids" AND signature="OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked") AND (sourcetype="sep:risk" AND signature="W32.Downadup.B") | table remote_host_ip, Computer_name

The goal is to filter all events from sep:ids sourcetype which corresponds to signature="OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked" indicating potential Conficker activity and then to double check that, I need to correlate those remote_host_ip values against the sep:risk sourcetype to make sure if those hosts were ever triggered by SEP with signature="W32.Downadup.B". I also need to output the remote_host_ip (from sep:ids) vs computer_name (from sep:risk) if there is a match.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎02-22-2015 08:15 PM

If you have an AND between your two parenthesized conditions, you won't get any data. Putting an OR instead of the AND will catch both sourcetypes in your search. I'm not sure what method you are using to correlate the two, but I suppose you could use a transaction command if you have a field that you can use to correlate the data from both events, or by time. I'm not sure enough about your data to be able to give you more than than.

If I don't understand them problem and my suggestion is not relevant, please provide more information about your data and how you can correlate the data.

View solution in original post

Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎02-22-2015 08:15 PM

If you have an AND between your two parenthesized conditions, you won't get any data. Putting an OR instead of the AND will catch both sourcetypes in your search. I'm not sure what method you are using to correlate the two, but I suppose you could use a transaction command if you have a field that you can use to correlate the data from both events, or by time. I'm not sure enough about your data to be able to give you more than than.

If I don't understand them problem and my suggestion is not relevant, please provide more information about your data and how you can correlate the data.

Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...