Splunk Search

Join 3 tables together with conditions

horsefez
Motivator

Hi there,

I'm into correlation searches now and I'm stuck on a problem combining tree tables, while certain conditions need to be met.

In my company, administrators do configuration changes according to tickets in a ticket manager.

Table 1 (srctype=Changes) contains Change-Sessions by the Admins

02-10-15 07:40:00 LOGON 172.16.9.11 192.168.122.199 user1
02-10-15 07:41:00 CHNGE 172.16.9.11 192.168.122.199 user1
02-10-15 07:41:10 CHNGE 172.16.9.11 192.168.122.199 user1
02-10-15 07:41:20 CHNGE 172.16.9.11 192.168.122.199 user1
02-10-15 07:42:20 LOGOF 172.16.9.11 192.168.122.199 user1

Table 2 (deviceip_devicename) lists known devices an their corresponding IP address

192.168.122.187,lan-switch-1
192.168.122.199,lan-switch-2

Table 3 (srctype=Tickets) lists all changes that admins were allowed to do

02-10-15 07:35:00 configchange user1 lan-switch-2 IM735903

You see here that I first have to join Table 1 and Table 2 with the IP, to then join them together with Table 3.
The conditions I want to check are if there is a valid change-ticket (Ticket-ID IM*) to a change-session.

You also notice that the time of the change-ticket is different to the time of the change-session. When there is a change ticket for 07:35 the change should be possible for one hour. When the change is done after this period of time the change should be invalid.


So far I've written the following search:

index=_* OR index=* sourcetype=Changes 
|transaction Source_IP Destination_IP Username startswith="LOGON" endswith="LOGOF" 
| join Destination_IP [inputlookup deviceip_devicename | rename Device_IP AS Destination_IP]
| join type=left date_hour [search sourcetype=Ticketcenter | fields Ticket_ID Device_Name date_hour] 
| where Ticket_ID!="" 

Thanks in advance! 🙂

0 Karma
1 Solution

jplumsdaine22
Influencer

There are a bunch of splunk answers already on this subject. First read the answer here: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

Specificically in your case I would start with something like this:

 (sourcetype=changes OR  sourcetype=Ticketcenter) | lookup deviceip_devicename deviceip AS <fieldname of ip address in sourcetype=changes> OUTPUT devicename | eval session_time=if(sourcetype=="changes",_time,NULL) | eval ticket_time=if(sourcetype=="Ticketcenter",_time,NULL) | stats values(*) as * by devicename | fields <as desired> 

You should be able to validate the times with an additional |where command comparing the two time fields. It can be hard to shake the idea of requiring joins - try to think of Splunk as one big table!

View solution in original post

0 Karma

jplumsdaine22
Influencer

There are a bunch of splunk answers already on this subject. First read the answer here: https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

Specificically in your case I would start with something like this:

 (sourcetype=changes OR  sourcetype=Ticketcenter) | lookup deviceip_devicename deviceip AS <fieldname of ip address in sourcetype=changes> OUTPUT devicename | eval session_time=if(sourcetype=="changes",_time,NULL) | eval ticket_time=if(sourcetype=="Ticketcenter",_time,NULL) | stats values(*) as * by devicename | fields <as desired> 

You should be able to validate the times with an additional |where command comparing the two time fields. It can be hard to shake the idea of requiring joins - try to think of Splunk as one big table!

0 Karma

horsefez
Motivator

Thank you very much!

I also found that posting, but I for myself find it hard to change your thinking to working with stats and chart. Join and append are more intuitive. But I'll try! 🙂

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...