Hi *,
I'm trying to correlate events with the transaction function.
This is my search:
source="auditd"| transaction msg | stats values(auid) AS Users values(exe) AS Commands values(a1) AS par1 values(a2) AS par2 values(a3) AS par3 BY msg
My need is that I want to group two strings that are part of a same event (msg) and to get some parameters from one event and one from the other. Unfortunately the parameters have the same name in both the events (a0, a1, a2, ...).
How can I tell to Splunk to distinguish the a1 from the first event against the a1 from the second event?
Example: one correlate event based on the msg, but with 2 diffenet type. I want to take the a1, a2, ... from the type=EXECVE and not the one from type=SYSCALL.
type=SYSCALL msg=audit(12/12/2012 08:37:06.190:17211) : arch=i386 syscall=execve success=yes exit=0 a0=9ba86d0 a1=9bad370 a2=9bad828 a3=0 items=2 ppid=10479 pid=24196 tty=pts0 ses=38 comm=cat exe=/bin/cat key=(null)
type=EXECVE msg=audit(12/12/2012 08:37:06.190:17211) : argc=2 a0=cat a1=/etc/passwd
Thanks,
HS
... View more