Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search to group different fields from different events

johnangelo
Loves-to-Learn
‎03-09-2021 01:49 PM

Hi! So ive been at this for hours attempting to use stats and transactions to do this.

I have two events that look like the following: Event 1: (date) (connection=1234) (op=#) (BIND) (username=[username])

Event 2: (date) (connection=1234) (op=#) (RESULT) (error=49) (INVALID CREDENTIALS)

I want to create a pivot that has it so that usernames and invalid credentials can be grouped... right now I am doing the stats command, but not getting any results because these (username and error=49) are two different events. Unfortunately, these fields do not contain unique values among each other (same connection# is shared with many other events, same op# is shared with many others)

The only thing I can think of is event2 comes directly after event1. Is there a way to group this based on time or perhaps eval?

Any suggestions?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-09-2021 10:33 PM

I assume the connection is still important. Try something like this

 

| sort connection _time
| streamstats current=f window=1 values(user) as user by connection

 

Reply

johnangelo
Loves-to-Learn
‎03-10-2021 10:34 AM

Unfortunately, that did not give me the results I was looking for. For clarity, I am attempting to group userid to failed logins, however, those events are separate from each other. 

For example:

[10/Mar/2021:<time>] conn=1000 op=1 BIND dn="uid=bobjim,cn=users,cn=account,dc=random,dc=com" method=111 version=4

10/Mar/2021:<time>] conn=1000 op=1 RESULT err=49 tag=97 nentries=0 etime=0 - Invalid credentials

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2021 03:18 PM

What fields are you extracting for the first event? I assumed that the user name has been extracted to a field called field user, but obviously if it has been extracted to a different field, then the streamstats has to be updated accordingly. With this change, do you get the user name on the subsequent event? If not, what do you get?

0 Karma
Reply

johnangelo
Loves-to-Learn
‎03-11-2021 07:24 AM

Right now I am using

host=<host> sourcetype=<srctype> | sort connection _time
| streamstats current=f window=1 values(uid) as user by conn

This does return the username, however, I would like the username to be correlated with a failed login attempt and to do a pivot/dashboard on this.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2021 12:15 PM

Guessing from your example logs, the connection is in field conn(?) so you should sort by this rather than connection?

host=<host> sourcetype=<srctype> | sort conn _time
| streamstats current=f window=1 values(uid) as user by conn

This should add the user (uid) to the next record in the pipeline for the connection so the fail message should now have a user (uid) associated with it. 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...