Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using transactions with IronPort's potentially inf...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using transactions with IronPort's potentially infinite MID rewrites
I've seen quite a few posts about IronPort/Cisco ESA mail logs and how folks have put them together with transaction. However I see one flaw, they don't have a way to include a rewritten MID's rewritten MID. Conceptually I'm having a hard time figuring out how to approach this, any ideas would be greatly appreciated.
MID 70101307 rewritten to MID 70101309 by url-reputation-replace-action filter 'Malicious_URL'
Message finished MID 70101307 done
MID 70101309 rewritten to MID 70101311 by url-threat-protection filter 'Threat Protection'
Message finished MID 70101309 done
Message finished MID 70101311 done
As one can see there are a total of 3 MIDs here.
1. 70101307 which is the first, and root, event
2. 70101307 is rewritten to 70101309
3. 70101309 is rewritten to 70101311
These are all the same message, and I would like to combine them all into a single event. This scenario happens more often than one may assume. Unfortunately folks who are relying on | transaction mid will miss all of the rewritten MID's actions; there is a ton of juicy data there. Using a lookup populated immediately before with maps of MID to rewritten MID is another great idea, and that's how I'm successfully combining the first and second MIDs, but not sure how to capture rewritten MID's rewritten MID. The following is a light example of what I'm doing today, reduced down to the SPL that matters.
index=ironport
| transaction mid
| table _time,host,mid,rewrite_mid
| outputlookup append=false bufferlookup
index=ironport
| lookup local=true bufferlookup host,mid OUTPUT mid AS buffer_mid,rewrite_mid AS buffer_rewrite_mid
| lookup local=true bufferlookup host,mid AS rewrite_mid OUTPUTNEW mid AS buffer_mid,rewrite_mid AS rewrite_mid
| eval anchor=if(!isnull(buffer_mid) and buffer_mid>0,buffer_mid.":".buffer_rewrite_mid,mid)
| transaction anchor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The proper answer is:
| sort 0 _time | eval mids=mvappend(mid,mid2,rewrite_mid) | transaction mids
other options on transaction may be added as desired, but aren't necessary if the search time frames are short.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not able to explain it yet, but changing it up a bit gets me the results I'm interested in.
index=ironport MID earliest=-0d@d+8m latest=-0d@d+10m
| eval mids=mvappend(mid,rewrite_mid)
| transaction mids maxspan=600s maxpause=600s maxevents=-1 maxopentxn=-1 maxopenevents=-1
| transaction mids maxspan=600s maxpause=600s maxevents=-1 maxopentxn=-1 maxopenevents=-1
Yes the transaction command is duplicated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
