Using Eval to get timespan to apply to subsearch

ltrand · ‎05-07-2015

I'm looking for a way that I can take some logon logs and figure out the firewall logs for only when the user had the IP. Because it's a VPN pool, the IP's refresh and get reused quickly, so I'm trying to build a correlation that can positively match the activity to an endpoint.

What I have so far:
(sourcetype=WinEventLog:Security AccountName="username" | transaction TaskCategory startswith=Logon endswith="Logon/Logoff"| table _time TaskCategory Source_Network_Address

I would like to do a subsearch that is logically similar to this:

in sourcetype=fwlogs where src_ip=Source_Network_Address starts with transaction start-time-ends with transaction-end-time

Any thoughts?

woodcock · ‎05-07-2015

This should do the trick (replace < with "<" and > with ">"; stupid markdown bugs):

sourcetype=WinEventLog:Security AccountName="username"
| transaction TaskCategory startswith=Logon endswith="Logon/Logoff"
| eval startTime=_time | eval endTime=_time+duration
| map search="search sourcetype=fwlogs src_ip=$Source_Network_Address$ _time&gt;=$startTime$ _time&lt;=$endTime$

Using Eval to get timespan to apply to subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Using Eval to get timespan to apply to subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem