×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
anderswesterber
New Member
Member since: ‎04-28-2011
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-28-2011
View All

Re: searching multiple sources and concatenating r...

by in Splunk Search
‎08-06-2012 12:38 AM
‎08-06-2012 12:38 AM
Oh, thank you, looks interesting. I'll try this out as soon as possible and get back with the results. ... View more

Re: searching multiple sources and concatenating r...

by in Splunk Search
‎03-08-2012 12:10 AM
‎03-08-2012 12:10 AM
First of all, I dont get how these posts are supposed to work, "you answered your own question"? Thanks for the response but I'm still a bit confused. My main issue with the transaction command was that the results showed a lot of events that had no matching login event so I figured the transaction command was limited to the timeframe you set in the main search, is that wrong? Maxspan=8h just seems to limit maxspan from the default unlimited which i assume just means the whole specified timeframe? Wouldn't the timeframe limit both sourcetypes and if I for example use a timeframe like 02:00-04:00 would I even see a login event from the auth-source that was before that timeframe? What is a "huge number of events"? A high production hour generates over 300K events and a 24h period generates overall 1M to 1.2M events.. quite often I'm asked to deliver reports on a user over several days/weeks. ... View more

searching multiple sources and concatenating resul...

by in Splunk Search
‎03-06-2012 01:35 AM
‎03-06-2012 01:35 AM
Hi, first time trying to join several logsources in Splunk and it's been a nightmare ;)! Use-case: I got one logsource(auth) that have timestamp, src_ip, user, login|logout and another logsource(browse) that have timestamp, src_ip, url I want to get a result that shows one row for each event in browse-logsource with timestamp, ipaddress, url, user fields and I need to be able to search for any time intervall. One issue is that an event in browse can happen as long as 8 hours (max loginsession is 8h) after a login event matches it, another one is that several users might have logged in/out on the same client several times during the last 8 hours so they have the same src_ip. I'v read a lot about how to join logs and have tried transaction, stats, join and lookuptables but I never end up with a result that I can trust. I'm beginning to suspect that this was not the best type of logs to begin my Splunk learning curve with ;)! The closest I have been so far is this: sourcetype="browse" starttime="03/05/2012:20:00:00" endtime="03/05/2012:20:10:00"| join src_ip [search starttime="03/05/2012:12:00:00" endtime="03/05/2012:20:10:00" sourcetype="auth"] Startime/endtime does work in subsearches even tho I'v seen several posts claiming it doesn't, at least in 4.3 it seems to work. I need the starttime/endtimes to make the subsearch cover the relevant timerange, I'v tried using eval to declare variables but cant figure out how to declare variables before a search. Why doesn't this work (I take $start$ and $end$ times from input fields in a view)? sourcetype="browse" starttime="$start$" endtime="$end$"|join src_ip [*|eval startepoch = strptime(start, "%m/%d/%Y:%H:%M:%S")|eval startrelative=relative_time(startepoch,"-8h@s")|convert timeformat="%m/%d/%Y:%H:%M:%S" ctime(startrelative)|search starttime="$startrelative$" endtime="$end$" sourcetype="auth"] And even if I get it to work I cant trust the results since I'm not using the logouts at all..? I tried lookup-tables but unless I make the lookup-table cover all time I dont understand how to use it for historic queries and I'm still not sure how to cover multiple logins from the same src_ip. Sorry for the very long post, I hope someone can point me in the right direction. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM