Splunk Search

Match two events that occur within certain time of each other

johnnybravo
Explorer

I am trying to perform a search that will show me when users have wireless problems. There are two events "associate" and "disassociate" that I am tracking. The field is the same, but the value is different. Example events are below:

Dec 7 19:19:17 sta e8c6:6850:ab9e is associated
Dec 7 19:19:27 sta e8c6:6850:ab9e is disassociated

The first indicates the laptop has joined the wireless network, and the second that they have disconnected from it. I want to report when the same MAC address has both associate and disassociate events in a 1 minute time-span.

I've tried a few things so, but no luck so far. I have the fields extracted. I tried two different methods on the ass/dis fields. I have that field assigned to wifiEvent with the value extracted. The other method was two fields where wifiJoin matches on associate and wifiLeave on the dis. I tried this because it looks like contingency would do the trick, and it needs two fields to look at. However, having those two fields really be the same field seems not to work.

Can someone nudge me in the right direction please?

Tags (1)
0 Karma
1 Solution

Ayn
Legend

The most straightforward way to solve this would be to use transaction. This will join separate events together to a new combined event (a transaction) based on rules that you specify. You can then search for transactions that match multiple conditions.

In your case, you want to find cases where "is associated" and "is disassociated" occur within a 1 minute interval. This can be accomplished using transaction like this:

"is associated" OR "is disassociated" 
| transaction mac_addr startswith="is associated" endswith="is disassociated" maxspan=1m

If you have "associated" and "disassociated" extracted to some field (let's call it status) you can use that:

status="associated" OR status="disassociated" 
| transaction mac_addr startswith=eval(status="associated") endswith=eval(status="disassociated") maxspan=1m

Any events returned by these searches will match your condition. I used "mac_addr" as an argument to transaction, change this to whatever you've called the field containing the MAC address in your case. This argument specifies what field(s) Splunk should look for and use when grouping together events, so in this case Splunk will be looking to grouping events into transactions if they have the same value for the "mac_addr" field.

More information on the transaction command is available in the docs: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

View solution in original post

Ayn
Legend

The most straightforward way to solve this would be to use transaction. This will join separate events together to a new combined event (a transaction) based on rules that you specify. You can then search for transactions that match multiple conditions.

In your case, you want to find cases where "is associated" and "is disassociated" occur within a 1 minute interval. This can be accomplished using transaction like this:

"is associated" OR "is disassociated" 
| transaction mac_addr startswith="is associated" endswith="is disassociated" maxspan=1m

If you have "associated" and "disassociated" extracted to some field (let's call it status) you can use that:

status="associated" OR status="disassociated" 
| transaction mac_addr startswith=eval(status="associated") endswith=eval(status="disassociated") maxspan=1m

Any events returned by these searches will match your condition. I used "mac_addr" as an argument to transaction, change this to whatever you've called the field containing the MAC address in your case. This argument specifies what field(s) Splunk should look for and use when grouping together events, so in this case Splunk will be looking to grouping events into transactions if they have the same value for the "mac_addr" field.

More information on the transaction command is available in the docs: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

johnnybravo
Explorer

Precisely what I needed, thank you very much!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...