Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tricky Search for 2 events in same Index

LizAndy123
Path Finder
‎11-09-2024 02:57 PM

So I have an Index with working alerts thanks to your guys help.

I have a question on 2 separate events at the same time.

1st Event : Invalid password provided for user : xxxxxxxx (this is in the Event)

2nd Event :  GET /Project/1234/ HTTP/1.1 401 (this is basically letting me know about the first event but what Project they tried to connect.

 

How would one write to Get the Username of the invalid password and chlorate that with the project at the same time underneath

Example User xxxxxx put in an invalid password for Project 1234.

Thinking it is easier to get my team to write it all in 1 event for another release.

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-10-2024 05:50 PM

In addition to the technical consideration @PickleRick points out, you should make a blunt case to your developers that this is logically impossible unless

  • there is ever one user accessing your entire Web site with credentials, or
  • there is a strict mechanism to prevent more than one user to access your Web site during any prescribed time interval.

This, and if code authentication failure is the ONLY reason 401 is returned. (HTTP 401 is for unauthorized access, not an indicator of authentication failure.)

Present the above two logs to your developers, ask them what logic can they use (without Splunk) to tell you why the second event is related to the same user as the second event?

If your logs contain additional identifiable information such as client IP address, there is a better chance for such correlation.  But your mock data don't suggest existence of such data.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-09-2024 03:06 PM

Correlating on time alone while possible is always tricky. You never know what delay you're gonna get between these two events. And you might get more than just those two events at this particular timestamp. It's best if you either have both those pieces of information within one event or at least they both include some unique identifier so that you can unambiguously connect one with the other.

0 Karma
Reply

LizAndy123
Path Finder
‎11-09-2024 03:00 PM

I will add - it is the same index but the 1st event is from one source type and the 2nd event from another source type (just different server logs)

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...