Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- combine two transaction results based on one value...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
combine two transaction results based on one value they share
I have a transaction that includes a MAC address which doesn't change and an IP address which changes during the transaction. And one message that does not have the MAC address but has only IP.
Here is an example transaction
allowed_client MAC=0004F2999999, VLAN=172, BASEPORT=12, HOST=CST2-CAFE-CRH.UMH.EDU
lucent dhcp service[info] 110 DHCP_GrantLease: Host= IP=172.26.32.254 MAC=0004f2999999 Domain=umh.edu
lucent dhcp service[info] 110 DHCP_RenewLease: Host= IP=172.26.32.254 MAC=0004f2999999 Domain=umh.edu
lucent dhcp service[info] 110 DHCP Release: Host= IP=172.26.32.254 MAC=0004f2999999 Domain=umh.edu
lucent dhcp service[info] 110 DHCP_GrantLease: Host= IP=172.26.32.254 MAC=0004f2999999 Domain=umh.edu
lucent dhcp service[info] 110 DHCP_RenewLease: Host= IP=172.26.32.254 MAC=0004f2999999 Domain=umh.edu
lucent dhcp service[info] 110 DHCP Release: Host= IP=172.26.32.254 MAC=0004f2999999 Domain=umh.edu
allowed_voice MAC=0004F2999999, VLAN=2172, BASEPORT=12, HOST=CST2-CAFE-CRH.UMH.EDU
lucent dhcp service[info] 110 DHCP_GrantLease: Host= IP=172.27.32.254 MAC=0004f2999999 Domain=umh.edu
lucent dhcp service[info] 110 DHCP_RenewLease: Host= IP=172.27.32.254 MAC=0004f2999999 Domain=umh.edu
srcphoneboot IP=172.27.32.254
Using (srcphoneboot) OR (0004F2* grantlease) OR (allowed_client 0004F2* ) OR (allowed_voice 0004F2* ) |eval MAC=lower(MAC) | transaction MAC,IP
Gets me two events:
Event 1:
10/12/2011 10:04:14 umhc-logproc02.umh.edu [notice] root: allowed_voice MAC=0004F2999999, VLAN=2172, BASEPORT=12, HOST=CST2-CAFE-CRH.UMH.EDU
10/12/2011 10:04:23 umhc-logproc02.umh.edu [notice] root: lucent dhcp service[info] 110 DHCP_GrantLease: Host= IP=172.27.32.254 MAC=0004f2999999 Domain=umh.edu
10/12/2011 10:04:41 umhc-logproc02.umh.edu [notice] root: srcphoneboot IP=172.27.32.254
Event 2:
10/12/2011 10:03:11 umhc-logproc02.umh.edu [notice] root: allowed_client MAC=0004F2999999, VLAN=172, BASEPORT=12, HOST=CST2-CAFE-CRH.UMH.EDU
10/12/2011 10:03:20 umhc-logproc02.umh.edu [notice] root: lucent dhcp service[info] 110 DHCP_GrantLease: Host= IP=172.26.32.254 MAC=0004f2999999 Domain=umh.edu
10/12/2011 10:03:47 umhc-logproc02.umh.edu [notice] root: lucent dhcp service[info] 110 DHCP_GrantLease: Host= IP=172.26.32.254 MAC=0004f2999999 Domain=umh.edu
I'd like to see these as one event and since they have MAC in common thought that I could simply add | transaction MAC onto the end of my search chain. When I do that on my current 4.2.3 install I get a statement that there is 1 event. However, the event is never displayed.
Am I missing an option in transaction to allow further processing or does someone see a better way to build up this chain?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should already be doing this but I guess the problem is that there are not 1-to-1 mappings between the fields you are using (which is typically the case and definitely desirable when using transaction) In any case try adding connected=f and also try reversing | transaction MAC,IP to | transaction IP,MAC to see if you get different (better) results.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
