Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Multi sourcetype search for extracted value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multi sourcetype search for extracted value
I am having some issues getting this to work correctly. It does not return all the results. I have different records in different sourcetypes under the same index.
sourcetypeA
eventID = computerName.sessionID
infoIWant1 = someinfo1
infoIWant2 = someinfo2
SourcetypeB's events are broken into events that I need to correlate.
sourcetypeB
event1-------------------------------------------------------
sessionID= sessionNo1
direction=receive
-----------------------------------------------------------------
event2--------------------------------------------------------
sessionID=sessionNo1
direction=send
-----------------------------------------------------------------
I attempted the below search using the transaction command to correlate the records in sourcetypeB.
index=INDEX sourcetype=sourcetypeA
| rex field=eventID "\w{0,30}+.(?<sessionID>\d+)"
| do some filter on infoIWant fields here
| join type=inner sessionID
[ search index=INDEX sourcetype=sourcetypeB
| transaction sessionID
| where eventcount==2
| fields sessionID duration ]
| chart count by duration- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help Giusepe. This is helpful for getting the duration. However, I would also like to table the results from filtering the events in sourcetypeA and having the duration. This solution does not seem to merge the two resulting searches.
ex.
table _time computerName sessionID filteredInfoIWant1 filteredInfoIwant2 duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @whipstash ,
add to the stats command, using the values option9 all the fields you need from both the searches:
index=INDEX sourcetype=sourcetypeA
| rex field=eventID "\w{0,30}+.(?<sessionID>\d+)"
| do some filter on infoIWant fields here
| append [ search
index=INDEX sourcetype=sourcetypeB
| stats
count AS eventcount
earliest(_time) AS earliest
latest(_time) AS latest
BY sessionID
| eval duration=latest-earliest
| where eventcount=2
| fields sessionID duration field3 field4 ]
| stats
values(eventID) AS eventID
values(duration) AS duration
values(field1) AS field1
values(field2) AS field2
values(field3) AS field3
values(field4) AS field4
values(count) AS count
BY sessionIDCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @whipstash ,
don't use join command that's a very slow command, use a different approach:
index=INDEX sourcetype=sourcetypeA
| rex field=eventID "\w{0,30}+.(?<sessionID>\d+)"
| do some filter on infoIWant fields here
| append [ search
index=INDEX sourcetype=sourcetypeB
| stats
count AS eventcount
earliest(_time) AS earliest
latest(_time) AS latest
BY sessionID
| eval duration=latest-earliest
| where eventcount=2
| fields sessionID duration ]
| stats
values(eventID) AS eventID
values(duration) AS duration
values(count) AS count
BY sessionIDPlease adapt this approach to your real situation.
Ciao.
Giuseppe
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
