Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Join events by closest time

pembleton
Path Finder
‎06-23-2013 11:22 AM

Hello, lets say I have events from two sourcetypes:

  1. time, ip, hostname
  2. time, ip, username

Now I want to match username to hostname based on the time and ip field in the following manner:
ip has to be the same, time has to be the closest time (before or after). Any easy out of the box way for doing that?

Tags (1)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-23-2013 03:11 PM

If you know the two events are less than n seconds apart you could use transaction on the field ip with a maxspan of n seconds.

Reply

pembleton
Path Finder
‎06-24-2013 11:48 PM

oh, but what I still want is to find the closest one between them, this just gives me a great big list

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-24-2013 02:11 PM

Maybe this is what you need then:

... | eventstats values(username) as users values(hostname) as hosts by ip
0 Karma
Reply

pembleton
Path Finder
‎06-24-2013 11:16 AM

ok, so what i meant is that an event can have numerous partners, meaning many users can come from the same host. and a user could use many hosts.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-24-2013 11:05 AM

Event 12:09 is now closer to 12:11 than to 12:05 so 12:09 must be associated with 12:11 and 12:05 loses its "partner".

0 Karma
Reply

pembleton
Path Finder
‎06-24-2013 10:56 AM

First question - yes
Second - no, why has anything changed?

I'll look into streamstats and come back

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-24-2013 04:19 AM

You could try using streamstats by ip to add recent usernames and recent hostnames to neighbouring events.

Whether that works depends on your data. For example, if you have this set at 12:10:

12:00 1.2.3.4 host=foohost
12:05 1.2.3.4 user=foouser
12:09 1.2.3.4 host=barhost

You would associate 12:05 with 12:09?
What if at 12:11 you get another event like this:

12:11 1.2.3.4 user=baruser

Would you now associate 12:05 with 12:00?

0 Karma
Reply

pembleton
Path Finder
‎06-24-2013 12:39 AM

I have that one ready, but I don't know how far apart they are, I want to find the closest one for each event, with no limit.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...