Splunk Search

Need help correlating different events to meet an ultimate condition

jcorkey
Explorer

I have these three different searches:

  1. A search to display when users create a new user account
  2. A search to display when users add a user account to a group
  3. A search to display when users switch to a different user account

Is it even possible to have another search that will know when a specific user has done all of the things above?

I want to be able to know when user1 does ALL of the following items within a 24 hour period: user1 creates user2, user1 adds user2 to a group, user1 switches accounts to become user2.

Since I have those individual searches already, how can I have something else that knows when all three cases have been met by user1?? Like a separate panel on my dashboard that can indicate when all three cases are met. This way I don't have to look through all three panels to see if user1 has done all three things.

0 Karma
1 Solution

DalJeanis
Legend

easy peasy ...

 multisearch
      [ Your search that finds user1 creating user2 | table _time user1 user2   | eval rectype="create"]
      [ Your search that finds user1 adding user2 to group2 | table _time user1 user2 group2   | eval rectype="group"]
     [ Your search that finds user1 becoming user2 | table _time user1 user2   | eval rectype= "switch"]
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3

Note that to use multisearch, all of the individual commands use to find the various records must be distributed streaming type commands. If you must use any commands that cannot be distributed, then you need to do something like

( Your search that finds user1 creating user2 ) OR
(Your search that finds user1 adding user2 to group2) OR 
(Your search that finds user1 becoming user2)
 | eval rectype=case(something that figures out search 1, "create",  
                                     something that figures out group 2, "group", 
                                     something that figures out group 3, "switch",
                                     true(), "booboo") 
   | eval user1=coalesce(fieldfrom group1, field from group2, field from group3)
   | eval user2=coalesce(fieldfrom group1, field from group2, field from group3)
  | eval group2=(field from group2)
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3 OR rectype="booboo"

View solution in original post

0 Karma

DalJeanis
Legend

easy peasy ...

 multisearch
      [ Your search that finds user1 creating user2 | table _time user1 user2   | eval rectype="create"]
      [ Your search that finds user1 adding user2 to group2 | table _time user1 user2 group2   | eval rectype="group"]
     [ Your search that finds user1 becoming user2 | table _time user1 user2   | eval rectype= "switch"]
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3

Note that to use multisearch, all of the individual commands use to find the various records must be distributed streaming type commands. If you must use any commands that cannot be distributed, then you need to do something like

( Your search that finds user1 creating user2 ) OR
(Your search that finds user1 adding user2 to group2) OR 
(Your search that finds user1 becoming user2)
 | eval rectype=case(something that figures out search 1, "create",  
                                     something that figures out group 2, "group", 
                                     something that figures out group 3, "switch",
                                     true(), "booboo") 
   | eval user1=coalesce(fieldfrom group1, field from group2, field from group3)
   | eval user2=coalesce(fieldfrom group1, field from group2, field from group3)
  | eval group2=(field from group2)
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3 OR rectype="booboo"
0 Karma

somesoni2
Revered Legend

Is it possible to do something like that, yes. Can it be done for your use-case, can't say unless you share more details about all three individual searches, available fields (at least common fields) etc.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...