"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Nikita posted a discussionCount failures and success via transaction
Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
Correlation between different source that have different value key
Hi,
I have difficulties on using search to correlate these two events from two different sourcetype.
For example (this is not a real production events, but I will use to describe my minds)
First event get from ssl vpn log:
Sourcetype=vpn user_id=00001 action=allow login_time=10-10-2011 11:22:05 logout_time=12-10-2011 src_ip=222.232.10.11
Second event get from data center access door log:
Sourcetype=door user=joe action=allow access_time=10-oct-2011 11:23:00 logout_time=10-oct-2011 14:55:20
For this case, let say the admin want splunk to send alert if the same user access ssl vpn and entering data center in the same time, let say in span 1 hour. It's strange if u access to local data center but in the same time u access to server via ssl vpn
How to build logic correlation in this case? Also if the user identity not have "same" string/keyword, how we tell splunk to identify if user "00001" in ssl vpn log should be same user in door log user "joe" . Is it using csv lookup and define manually?
Thanks
I have difficulties on using search to correlate these two events from two different sourcetype.
For example (this is not a real production events, but I will use to describe my minds)
First event get from ssl vpn log:
Sourcetype=vpn user_id=00001 action=allow login_time=10-10-2011 11:22:05 logout_time=12-10-2011 src_ip=222.232.10.11
Second event get from data center access door log:
Sourcetype=door user=joe action=allow access_time=10-oct-2011 11:23:00 logout_time=10-oct-2011 14:55:20
For this case, let say the admin want splunk to send alert if the same user access ssl vpn and entering data center in the same time, let say in span 1 hour. It's strange if u access to local data center but in the same time u access to server via ssl vpn
How to build logic correlation in this case? Also if the user identity not have "same" string/keyword, how we tell splunk to identify if user "00001" in ssl vpn log should be same user in door log user "joe" . Is it using csv lookup and define manually?
Thanks
Tags: correlation
Views: 131
Replies to This Discussion
-
Permalink Reply by Michael Wilde on -
Andi..
How do you know user 00001 is in fact, "joe".. do you have a list somewhere. If you do, you can use a lookup to map userid to a username. You might create a "users.csv" file and upload it in Manager -- > Lookups.
Make the file like thisuser_id,user
00001,joe
00002,michael
Then, wire up an automatic lookup that runs whenever the SSL VPN log data is searched on and adds a field called "user". Then i would grab events from both sources and maybe pipe it to | transaction user
which would link those events together, you'd see the whole session and have a good idea if malicious activity.
© 2012 Created by Michael Wilde.
