Perform Transaction for only repeating values of f...

omend · ‎07-16-2013

Hi,

I'm looking to write a splunk search that joins consecutive similar events.
The data is of IP Addresses allocation to machine names, so the lines are of the following format:

[Start Time],[End Time],[Hostname],[IP Address]
10:00,10:15,MINE-PC,10.0.0.2
10:15,12:00,MINE-PC,10.0.0.2
12:00,12:45,MINE-PC,10.0.0.5
12:45,13:08,MINE-PC,10.0.0.5
13:08,13:37,MINE-PC,10.0.0.2

I would like to join all consecutive identical IP Addresses so the results should look like:
[Start Time],[End Time],[Hostname],[IP Address]
10:00,12:00,MINE-PC,10.0.0.2
12:00,13:08,MINE-PC,10.0.0.5
13:08,13:37,MINE-PC,10.0.0.2

Could anyone please provide a short search code?

Thanks,
Ori.

dmlee · ‎07-16-2013

may I know if the live time of an allocated IP is always 15 minutes or can be any range ?
if the live time is always 15 minutes , you can try this :

sourcetype="omend" | rex "(?P[^,]+),(?P[^,]+),(?P[^,]+),(?P[^,]+)" | transaction maxpause=15m IP HostName

omend · ‎07-16-2013

Unfortunately the 15 minutes bucket is only for the example purposes, it can be any time range.

Perform Transaction for only repeating values of field

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple

Are you a member of the Splunk Community?

Perform Transaction for only repeating values of field

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple