Splunk Search

Join 2 events with same "source"


I want to join the nmap scanning results. The common field is the source "nmapscan_1.gnmap" while other scans will have a different source name.

Event 1

# Nmap 5.51 scan initiated Tue Dec 11 10:54:16 2017 as: nmap -A -T4 -oA scan_192.168.1.0_24_20171219
host =nmapserver   source =nmapscan_1.gnmap   sourcetype =nmap

Event 2

# Nmap done at Tue Dec 11 12:20:04 2017 -- 256 IP addresses (81 hosts up) scanned in 5147.70 seconds
host =nmapserver   source =nmapscan_1.gnmap   sourcetype =nmap

I want to get the following results:

Time, Subnet, #Hosts up, Duration
Tue Dec 11 10:54:16 2017,, 81, 5147.70

Could I use the "source" as a common field and how to do this? Thanks.

Tags (2)
0 Karma
1 Solution


If each file monitored represents a different scan then you can definitely use source for transaction.

Try this:

| rex "scan_(?<network>([0-9]{1,3}\.){3}[0-9]{1,3})_(?<masklen>[0-9]+)_"
| eval subnet=network."/".masklen
| rex "\((?<hosts_up>[0-9]+) hosts up\)"
| transaction startswith=eval(isnotnull(subnet)) endswith=eval(isnotnull(hosts_up)) source
| table _time subnet hosts_up duration

View solution in original post

0 Karma


If each file monitored represents a different scan then you can definitely use source for transaction.

Try this:

| rex "scan_(?<network>([0-9]{1,3}\.){3}[0-9]{1,3})_(?<masklen>[0-9]+)_"
| eval subnet=network."/".masklen
| rex "\((?<hosts_up>[0-9]+) hosts up\)"
| transaction startswith=eval(isnotnull(subnet)) endswith=eval(isnotnull(hosts_up)) source
| table _time subnet hosts_up duration
0 Karma


This works perfectly, thanks for the help.

I have changed a little to use the last subnet as that one is generated by nmap:

| rex field=_raw ".*scan\sinitiated\s.*\s(?<subnet>\d+.\d+.\d+.\d+\/\d\d)"
| rex field=_raw "\((?<hosts_up>\d+)\shosts\sup\)\sscanned\sin\s(?<duration>\d+).\d\d\sseconds"
| transaction startswith=eval(isnotnull(subnet)) endswith=eval(isnotnull(hosts_up)) source
| table _time, subnet, hosts_up, duration
0 Karma

Super Champion

hey @henryyiu2degrees

No, you cannot use the source as a common field. As in that particular source field, there might be plenty of events so essentially there is nothing common as such in these particular two events. Also, the source is metadata field it is not something that is coming from logs.
So if you want to correlate these two events, then you need to have something common in the raw logs i.e. host_ip OR username userid which is a unique identifier only for those particular two events.

I hope this explanation helps you understand these things!

0 Karma

Super Champion

Also try this

index=index1  OR index=index2  (source=source1 OR source=source2)
| rex field=_raw "gtid\((?P<trans_id>[^\)]+)"
| stats values(_raw) as raw_event by trans_id

Let me know what you get

0 Karma


Thanks @mayurr98 for your comment.

I afraid there is no common fields in the raw logs but could I join "scan initiated" and the next "Nmap done" together?

0 Karma

Super Champion

I don’t think but you can try below search

index=your_index | transaction startswith=“scan initiated” endswith=“Nmap done”

After running this search see if like events are getting correlated although it is not recommended to use this command unless you have common field but just check !

Let me know if this works!

0 Karma


I have tried this and work as well, but the others answer is more accurate.
Appreciate your help, thanks a lot.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...