Splunk Search

Pull 2 sourcetypes based off the timestamp and IP in a lookup table for +/- 5 minutes from the timestamp

splunkfuinator
New Member

I have a query that produces a lookup table with three columns: _time, src_IP, and user. _time is currently formatted with strftime(_time, "%F-%H:%M") and labeled "Time1". I would like to make a query that takes the src_IP, looks at the _time, and then searches for 2 sourcetypes, HTTP and HTTPS, with the source (src) IP as the source of the traffic for + and - 5 minutes before and after the _time in the lookup table.

So, if you look at the example in my .png, the new search would take the src_ip of .210 and do another search for HTTP/HTTPS traffic from .210 between 16:15 - 16:25.

tyvm!

alt text

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That's a textbook case for map: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/map

search producing that table with _time left as epoch | eval start = relative_time(_time, "-5m") | eval end = relative_time(_time, "+5m") | map search="search earliest=$start$ latest=$end$ (sourcetype=HTTP OR sourcetype=HTTPS) src=\"$src_ip$\""

That'll run one search for every result returned by the first search for that src_ip around the timestamp.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...