Splunk Search

Search to group different fields from different events

johnangelo
Loves-to-Learn

Hi! So ive been at this for hours attempting to use stats and transactions to do this.

I have two events that look like the following: Event 1: (date) (connection=1234) (op=#) (BIND) (username=[username])

Event 2: (date) (connection=1234) (op=#) (RESULT) (error=49) (INVALID CREDENTIALS)

I want to create a pivot that has it so that usernames and invalid credentials can be grouped... right now I am doing the stats command, but not getting any results because these (username and error=49) are two different events. Unfortunately, these fields do not contain unique values among each other (same connection# is shared with many other events, same op# is shared with many others)

The only thing I can think of is event2 comes directly after event1. Is there a way to group this based on time or perhaps eval?

Any suggestions?

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I assume the connection is still important. Try something like this

 

| sort connection _time
| streamstats current=f window=1 values(user) as user by connection

 

johnangelo
Loves-to-Learn

Unfortunately, that did not give me the results I was looking for. For clarity, I am attempting to group userid to failed logins, however, those events are separate from each other. 

For example:

[10/Mar/2021:<time>] conn=1000 op=1 BIND dn="uid=bobjim,cn=users,cn=account,dc=random,dc=com" method=111 version=4

10/Mar/2021:<time>] conn=1000 op=1 RESULT err=49 tag=97 nentries=0 etime=0 - Invalid credentials

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What fields are you extracting for the first event? I assumed that the user name has been extracted to a field called field user, but obviously if it has been extracted to a different field, then the streamstats has to be updated accordingly. With this change, do you get the user name on the subsequent event? If not, what do you get?

0 Karma

johnangelo
Loves-to-Learn

Right now I am using

host=<host> sourcetype=<srctype> | sort connection _time
| streamstats current=f window=1 values(uid) as user by conn

This does return the username, however, I would like the username to be correlated with a failed login attempt and to do a pivot/dashboard on this.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Guessing from your example logs, the connection is in field conn(?) so you should sort by this rather than connection?

host=<host> sourcetype=<srctype> | sort conn _time
| streamstats current=f window=1 values(uid) as user by conn

This should add the user (uid) to the next record in the pipeline for the connection so the fail message should now have a user (uid) associated with it. 

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...