Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search to group different fields from different events

johnangelo
Loves-to-Learn
‎03-09-2021 01:49 PM

Hi! So ive been at this for hours attempting to use stats and transactions to do this.

I have two events that look like the following: Event 1: (date) (connection=1234) (op=#) (BIND) (username=[username])

Event 2: (date) (connection=1234) (op=#) (RESULT) (error=49) (INVALID CREDENTIALS)

I want to create a pivot that has it so that usernames and invalid credentials can be grouped... right now I am doing the stats command, but not getting any results because these (username and error=49) are two different events. Unfortunately, these fields do not contain unique values among each other (same connection# is shared with many other events, same op# is shared with many others)

The only thing I can think of is event2 comes directly after event1. Is there a way to group this based on time or perhaps eval?

Any suggestions?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-09-2021 10:33 PM

I assume the connection is still important. Try something like this

 

| sort connection _time
| streamstats current=f window=1 values(user) as user by connection

 

Reply

johnangelo
Loves-to-Learn
‎03-10-2021 10:34 AM

Unfortunately, that did not give me the results I was looking for. For clarity, I am attempting to group userid to failed logins, however, those events are separate from each other. 

For example:

[10/Mar/2021:<time>] conn=1000 op=1 BIND dn="uid=bobjim,cn=users,cn=account,dc=random,dc=com" method=111 version=4

10/Mar/2021:<time>] conn=1000 op=1 RESULT err=49 tag=97 nentries=0 etime=0 - Invalid credentials

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2021 03:18 PM

What fields are you extracting for the first event? I assumed that the user name has been extracted to a field called field user, but obviously if it has been extracted to a different field, then the streamstats has to be updated accordingly. With this change, do you get the user name on the subsequent event? If not, what do you get?

0 Karma
Reply

johnangelo
Loves-to-Learn
‎03-11-2021 07:24 AM

Right now I am using

host=<host> sourcetype=<srctype> | sort connection _time
| streamstats current=f window=1 values(uid) as user by conn

This does return the username, however, I would like the username to be correlated with a failed login attempt and to do a pivot/dashboard on this.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2021 12:15 PM

Guessing from your example logs, the connection is in field conn(?) so you should sort by this rather than connection?

host=<host> sourcetype=<srctype> | sort conn _time
| streamstats current=f window=1 values(uid) as user by conn

This should add the user (uid) to the next record in the pipeline for the connection so the fail message should now have a user (uid) associated with it. 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...