Splunk Search

append and transaction

Contributor

I have a pretty complex search where I'm trying to get the DHCP and ACS authentication logs correlated by MAC address for all workstations where a particular user logged into the wireless network.

index=main (host=dhcpserver) 
| extract mac
| search
  [ search host=csacs* index=main CSCOacs_Passed_Authentications
    [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* 
      | fields trans_id ] 
    | transaction maxpause=5s trans_id 
    | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac 
    | dedup mac 
    | fields mac ] 
| rex field=_raw "DHCPACK on (?<ip_assigned>[0-9\.]+) to [^\(]+\((?<hostname>[^\)]+)\)"
| fields _time host hostname ip_assigned mac
| append
  [ search host=csacs* index=main CSCOacs_Passed_Authentications
    [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* 
      | fields trans_id ] 
    | transaction maxpause=5s trans_id 
    | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac 
    | dedup mac 
    | fields _time host mac user ]
| transaction maxspan=20s mac

Everything is working okay except for the final transaction to join the transaction between the two systems. I verified the relevant events have the same MAC address and format (lowercase aa:aa:aa:aa:aa:aa) and are well within the maxspan time. Does transaction not work across appended searches?

Tags (2)

Legend

I think this search can be simplified:

 index=main (host=dhcpserver) 
 | extract mac
 | search
   [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=*  
     | dedup input
     | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac 
     | dedup mac 
     | fields mac ] 
 | rex field=_raw "DHCPACK on (?<ip_assigned>[0-9\.]+) to [^\(]+\((?<hostname>[^\)]+)\)"
 | fields _time host hostname ip_assigned mac
 | append
   [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=*
     | transaction maxpause=5s trans_id 
     | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac 
     | dedup mac 
     | fields _time host mac user ]
 | transaction maxspan=20s mac

But I think this is the answer to your question: transaction

"Given events as input, this command finds transactions based on events"

You are not passing events to the final transaction command: you are passing summarized search results.

0 Karma

Explorer

Is there really a difference between summarized search results and events? My impression is that append takes a result and just adds more events to it.

0 Karma

Explorer

Hi Jeff. Did you get the answer for your question? I am having the same problem with append + transaction

0 Karma