Connecting events that don't have a common field

robettinger · ‎09-08-2017

Hi guys,

more like a generic question: how do you make sense of events which are not necessarily linked by a common field? For example, one of our applications produces logs that generate many events/lines such as:

[08/Sep/2017:09:20:20 +0200] Logon request from 10.10.10.3
[08/Sep/2017:09:20:21 +0200] Object 662737354 deleted
[08/Sep/2017:09:20:21 +0200] User X77262 trying to connect ...
[08/Sep/2017:09:20:22 +0200] Logon Denied: Bad password

So lines 1, 3 and 4 represent a logon request but I cannot "transact" them as there is no common field. Or can I?

In a perfect world session IDs would be introduced in the logs OR more complete log entries, but changing code is a massive undertaking ... How do you guys deal with scenarios such this one?

Thanks.

gcusello · ‎09-08-2017

Hi robettinger,
if you haven't a transaction ID you should verify if it's possible to correlate events using host field (that you always have) and a duration (e.g. 5 seconds) or a starting and/or ending string.
e.g. in your example:

| transaction host startswith="Logon request from" endswith="Logon Denied:"

see all the transaction command option at http://docs.splunk.com/Documentation/Splunk/6.6.3/SearchReference/Transaction
Bye.
Giuseppe

cpetterborg · ‎09-08-2017

Also, watch for events that overlap - like two or more users logging in at the same time. That is the best reason to change the logging to include a key (username, etc) so that you can separate the transaction events properly.

Connecting events that don't have a common field

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?