Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search that Alerts for two events with a matching field

jinito14002
New Member
‎10-07-2019 01:16 AM

Hi I'm new to Splunk and am having a hard time finding a simple solution to this.
I tried using subsearch and append but couldn't do it. Wherever I look, it only has complicated solutions with at least 5 pipes.
How do I create an alert if two certain events occurred and their ip addresses match? (Source OR Destination ip whichever)
1. index=snort sid=100 src_ip=192.168.1.3 dst_ip=192.168.1.5
2. index=snort sid=101 src_ip=192.168.1.5 dst_ip=192.168.1.3

If its possible to check whether if event #2 occurred within 5 minutes of event #1 at the same time, that would be great.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aohls
Contributor
‎10-07-2019 05:55 AM

I am not sure what extracts you have setup but you could use a transaction: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Transaction

| transaction src_ip maxspan=5m

Need some more information to get things exact but it seems using transaction should work. If you can provide some more information that would help.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-07-2019 06:03 AM

HI jinito14002,
try something like this:

index=snort
| eval ip=src_ip.",".dst_ip
| makemv ip delim=","
| mvexpand ip
| stats count BY ip
| where count>1

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

aohls
Contributor
‎10-07-2019 05:55 AM

I am not sure what extracts you have setup but you could use a transaction: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Transaction

| transaction src_ip maxspan=5m

Need some more information to get things exact but it seems using transaction should work. If you can provide some more information that would help.

0 Karma
Reply
Solved! Jump to solution

jinito14002
New Member
‎10-11-2019 01:05 AM

Thanks, this did the trick for me. just needed that one word "transaction"

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...