Searching for transaction demarked by paired event...

mightyscotchpin · ‎03-15-2012

I've got a search problem that I've been trying to solve with some combination of transactions and events.

Hi all. I am trying search for a specific incident in one of our sources. The characteristics of the incident are:

starts with a specific pair of lines, in order (event 1 & 2)
A single occurrence of event A is found in between.
A single occurrence of event B is found in between.
event A & B can be in any order
ends with a specific pair of lines, in order (event 1 & 2)
All the events in a single incident have the same host name and log #.

Example:
hostA log2 event 1
hostA log2 event 2
hostA log2 event A
hostA log2 event B
hostA log2 event 1
hostA log2 event 2

Any suggestions on the best way to capture these incidents?

As I said, I have tried transactions, events and eventtypes, with no luck so far.

Thanks in advance for any advice.

Dan · ‎03-15-2012

I would try the general approach of:

eval some marker field to capture whether an event is 'event1', 'event2', 'eventA', or 'eventB'.
use transaction on the host name and log #
flatten the resulting multi-valued marker field into a string
use a regex on this flattened field to match the sequence you have listed there

This is an interesting problem, can you describe what the real-world incident is with these events?

Searching for transaction demarked by paired events

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?