Splunk Search

Removing result based on timestamp

rebelnn
New Member

Hello,
I have the following query

1.1.1.1 11 2.2.2.2 22 ciscoasafw index=firewall

results are

10/01/2018
14:22:50.000

Jan 10 14:22:50 ciscoasafw : %ASA-6-106100: access-list ACL_INSIDE permitted tcp INSIDE/1.1.1.1(11) -> OUTSIDE/2.2.2.2(22) hit-cnt 2 300-second interval [0xb4d91445, 0x0]

10/01/2018
14:22:48.000

Jan 10 14:22:48 ciscoasafw : %ASA-6-106100: access-list ACL_OUTSIDE permitted tcp OUTSIDE/2.2.2.2(22) -> INSIDE/1.1.1.1(11) hit-cnt 5 300-second interval [0x6450c313, 0x0]

I want to hide the later result if its within 5 second. Basically, some if statement (I'd guess) if the 2 results are within 5 seconds don't display the last result --» hide it.

Any help is appreciated.

thanks,

Tags (1)
0 Karma

rebelnn
New Member

Thanks for the replies but I think my explanation was not sufficient sorry about that. Basically, my query will look like something this:

host=ciscoasafw index=firewall

This will list thousands of IP addresses and ports. I want to make sure if a there are 2 events within 5 seconds where source IP is 1.1.1.1 and source port is 11 and destination ip is 2.2.2.2 destination port 22 AND its reverse where source IP 2.2.2.2 source port 22 and destination ip 1.1.1.1 destination port 11 is happening then the result happening later is discarded - example:

14:22:50 ciscoasafw : %ASA-6-106100: access-list ACL_INSIDE permitted tcp INSIDE/1.1.1.1(11) -> OUTSIDE/2.2.2.2(22) hit-cnt 2 300-second interval [0xb4d91445, 0x0]

14:22:48 ciscoasafw : %ASA-6-106100: access-list ACL_OUTSIDE permitted tcp OUTSIDE/2.2.2.2(22) -> INSIDE/1.1.1.1(11) hit-cnt 5 300-second interval [0x6450c313, 0x0]

In this example the result with 14:22:50 should be discarded. I don't want to match on IP but only match on a statement like "if a result X Y IP and port AND its reversed Y X IP and port" happened within 5 seconds I should only see the one which happened first. Hope I didn't confuse anyone : -)

0 Karma

micahkemp
Champion

You can do this somewhat with streamstats, but things get tricky because you are thinking in chronological order, and Splunk process events in reverse-chronological order by default. You can get around this sometimes with reverse, but using that for large datasets is a bad idea.

To show this in action:

| makeresults
| append [ |makeresults | eval _time=180, _raw="event4"]
| append [| makeresults | eval _time=193, _raw="event3"]
| append [| makeresults | eval _time=195, _raw="event2"]
| append [| makeresults | eval _time=200, _raw="event1"]
| reverse
| streamstats current=false window=1 last(_time) AS last_time
| eval time_diff=last_time-_time
| search time_diff>=5

And your search may look like:

1.1.1.1 11 2.2.2.2 22 ciscoasafw index=firewall
| reverse
| streamstats current=false window=1 last(_time) AS last_time
| eval time_diff=last_time-_time
| search time_diff>=5
0 Karma

somesoni2
Revered Legend

Is timestamp the only rule to exclude second result or there are other criteria? Are these two events related in some way? Will you always get two results or there can be more (and what happens when there are more resutls)?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!