Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

events correlation rules

trazomtg
New Member
a week ago

hi,

how to correlate event with event correlation rule ? so, how can i write a correlation rule ?

Thanks a lot

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a week ago

Hi @trazomtg ,

as the others already said, in Splunk, you can correlate events from the same or different data sources, even if etherogenous or different.

The rule to create a correlation search, is to identify the correlation key, in other words the fields to use to correlate the different events.

We could help you, but it's mandatory to have more details about the data flows to correlate.

as an exmple, you could correlate access logs to a windows server with an entrance badge, so if in windows the login is recognized by user and EventCode=4624 and e.g. in the entrance badge the user field is username and the action is action="access", you could create a search like the following:

(index=wineventlog EventCode=4624) OR (index=entrance_badge action="access")
| user=coalesce(user,username)
| stats 
     earliest(eval(if(index=wineventlog,_time,""))) AS wineventlog_time
     earliest(eval(if(index=entrance_badge,_time,""))) AS entrance_badge_time
     dc(index) AS index_count
     BY user
| eval 
     wineventlog_time=strftime(wineventlog_time,"%Y-%m-%d %H:%M:%S"),
     entrance_badge_time=strftime(entrance_badge_time,"%Y-%m-%d %H:%M:%S")

In this way, you can check that a user is present in the office when accessed a server.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

Correlation search is just a scheduled search with extra steps. So you need to know what you are looking for write a search looking for it (preferably an effective one since it's gonna be spawned often probably) and configure the rest of the settings for the correlation search (which will be different depending on whether you mean a correlation search in SE or ITSI)

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
a week ago

Hi @trazomtg 

In order for us to help you please could you provide more detail on what you are trying to achieve and product(s) you’re using. 

 

 

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

0 Karma
Reply

trazomtg
New Member
a week ago

hi,

it's simple. I receive lot of events from different hosts. They mention that all the hosts are down. but the reason is that the router connected to these hosts is down. So i don't want to receive messages from hosts  but just 1 message from the router 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
Friday

As @gcusello indicates, you will need a common/correlation field between host message and router message.  It is best for you to illustrate your data, even mock data, and illustrate how you want the output to be. (You have just explained the logic between input and desired output.  This is good.)

Short of your illustrations, let me assume that the common field in host message (sourcetype=host_message) is named gateway, and  that in router message (sourcetype=router_message) is named side_a.  Assume further that there is a field named status in both. (But statuses are independent despite a common name.)

While the above assumptions about data are reasonable, it is even more critical to have your input about your use case, i.e., desired results.  Here, I imagine that you want Splunk to output all host failure messages if their common gateway is up, but if a common gateway is down, you want to suppress host failure messages, only output router failure message.

This is how you should describe your use case using data:

host:

gatewayhostsourcetypestatus
10.0.0.1host1host_messageup
10.0.0.1host2host_messagedown
10.0.1.1host3host_messagedown
10.0.0.1host4host_messageup
10.0.1.1host5host_messagedown
10.0.0.1host6host_messagedown
10.0.1.1host7host_messagedown

router:

hostside_asourcetypestatus
router110.0.0.1router_messageup
router210.0.1.1router_messagedown

Desired results:

gatewayhostside_asourcetypestatus
10.0.0.1host2 host_messagedown
10.0.0.1host6 host_messagedown
 router210.0.1.1router_messagedown

Logic between data and desired results:

  • When a gateway router is down, I don't want to see host failure messages using that gateway.

This is a search to get such output from illustrated data:

sourcetype IN (host_message, router_message) status = down
| eval down_router = if(sourcetype == "router_message", host, null())
| eval router = coalesce(gateway, side_a)
| eventstats values(down_router) as down_router by router
| where isnull(down_router) or sourcetype == "router_message"
| fields - down_router router

Here is an emulation for you to play with and compare with real data.

| makeresults format=csv data="host,gateway,status
host1, 10.0.0.1, up
host2, 10.0.0.1, down
host3, 10.0.1.1, down
host4, 10.0.0.1, up
host5, 10.0.1.1, down
host6, 10.0.0.1, down
host7, 10.0.1.1, down"
| eval sourcetype = "host_message"
| append
    [ makeresults format=csv data="host, side_a, status
    router1, 10.0.0.1, up
    router2, 10.0.1.1, down"
    | eval sourcetype = "router_message"]
| search status = down
``` the above emulates
sourcetype IN (host_message, router_message) status = down
```

 

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Ready to make your IT operations smarter and more efficient? Discover how to automate Splunk alerts with Red ...