Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tricky Search for 2 events in same Index

LizAndy123
Path Finder
‎11-09-2024 02:57 PM

So I have an Index with working alerts thanks to your guys help.

I have a question on 2 separate events at the same time.

1st Event : Invalid password provided for user : xxxxxxxx (this is in the Event)

2nd Event :  GET /Project/1234/ HTTP/1.1 401 (this is basically letting me know about the first event but what Project they tried to connect.

 

How would one write to Get the Username of the invalid password and chlorate that with the project at the same time underneath

Example User xxxxxx put in an invalid password for Project 1234.

Thinking it is easier to get my team to write it all in 1 event for another release.

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-10-2024 05:50 PM

In addition to the technical consideration @PickleRick points out, you should make a blunt case to your developers that this is logically impossible unless

  • there is ever one user accessing your entire Web site with credentials, or
  • there is a strict mechanism to prevent more than one user to access your Web site during any prescribed time interval.

This, and if code authentication failure is the ONLY reason 401 is returned. (HTTP 401 is for unauthorized access, not an indicator of authentication failure.)

Present the above two logs to your developers, ask them what logic can they use (without Splunk) to tell you why the second event is related to the same user as the second event?

If your logs contain additional identifiable information such as client IP address, there is a better chance for such correlation.  But your mock data don't suggest existence of such data.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-09-2024 03:06 PM

Correlating on time alone while possible is always tricky. You never know what delay you're gonna get between these two events. And you might get more than just those two events at this particular timestamp. It's best if you either have both those pieces of information within one event or at least they both include some unique identifier so that you can unambiguously connect one with the other.

0 Karma
Reply

LizAndy123
Path Finder
‎11-09-2024 03:00 PM

I will add - it is the same index but the 1st event is from one source type and the 2nd event from another source type (just different server logs)

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...