Splunk Search

Need help correlating different events to meet an ultimate condition

jcorkey
Explorer

I have these three different searches:

  1. A search to display when users create a new user account
  2. A search to display when users add a user account to a group
  3. A search to display when users switch to a different user account

Is it even possible to have another search that will know when a specific user has done all of the things above?

I want to be able to know when user1 does ALL of the following items within a 24 hour period: user1 creates user2, user1 adds user2 to a group, user1 switches accounts to become user2.

Since I have those individual searches already, how can I have something else that knows when all three cases have been met by user1?? Like a separate panel on my dashboard that can indicate when all three cases are met. This way I don't have to look through all three panels to see if user1 has done all three things.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

easy peasy ...

 multisearch
      [ Your search that finds user1 creating user2 | table _time user1 user2   | eval rectype="create"]
      [ Your search that finds user1 adding user2 to group2 | table _time user1 user2 group2   | eval rectype="group"]
     [ Your search that finds user1 becoming user2 | table _time user1 user2   | eval rectype= "switch"]
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3

Note that to use multisearch, all of the individual commands use to find the various records must be distributed streaming type commands. If you must use any commands that cannot be distributed, then you need to do something like

( Your search that finds user1 creating user2 ) OR
(Your search that finds user1 adding user2 to group2) OR 
(Your search that finds user1 becoming user2)
 | eval rectype=case(something that figures out search 1, "create",  
                                     something that figures out group 2, "group", 
                                     something that figures out group 3, "switch",
                                     true(), "booboo") 
   | eval user1=coalesce(fieldfrom group1, field from group2, field from group3)
   | eval user2=coalesce(fieldfrom group1, field from group2, field from group3)
  | eval group2=(field from group2)
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3 OR rectype="booboo"

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

easy peasy ...

 multisearch
      [ Your search that finds user1 creating user2 | table _time user1 user2   | eval rectype="create"]
      [ Your search that finds user1 adding user2 to group2 | table _time user1 user2 group2   | eval rectype="group"]
     [ Your search that finds user1 becoming user2 | table _time user1 user2   | eval rectype= "switch"]
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3

Note that to use multisearch, all of the individual commands use to find the various records must be distributed streaming type commands. If you must use any commands that cannot be distributed, then you need to do something like

( Your search that finds user1 creating user2 ) OR
(Your search that finds user1 adding user2 to group2) OR 
(Your search that finds user1 becoming user2)
 | eval rectype=case(something that figures out search 1, "create",  
                                     something that figures out group 2, "group", 
                                     something that figures out group 3, "switch",
                                     true(), "booboo") 
   | eval user1=coalesce(fieldfrom group1, field from group2, field from group3)
   | eval user2=coalesce(fieldfrom group1, field from group2, field from group3)
  | eval group2=(field from group2)
| stats values(rectype) as rectype, min(_time) as starttime, values(group) as group, range(_time) as duration by user1 user2|
| where mvcount(rectype)=3 OR rectype="booboo"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is it possible to do something like that, yes. Can it be done for your use-case, can't say unless you share more details about all three individual searches, available fields (at least common fields) etc.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...