Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

correlate two sources when event from source A happens in between 2 events on source B VPN session

bcusick
Communicator
‎03-05-2014 01:29 PM

Hi,

I am trying to see when an event happens on source=A in between 2 events on source=VPN.
My VPN source provides two different events for "login" and "logout".

I want to link the two sources by usernames, but source=A has them listed differently as "app_user". I currently use a lookup table to return the type of username I want "ad_id". My VPN source has the user listed as 'citrix_user'.

source=A has fields called 'app_user' and a few other non-important sources.

source=VPN has fields called _time, citrix_user, and action. Action is either 'LOGIN' or 'LOGOUT'.

This is what I have but it is not mapping the citrix_user correctly. The status should return "ok" if there is a match.

source="A" | lookup lookuptable.csv app_user | join ad_id [search source=VPN | fields + citrix_user, _time, action] | eval status = if((ad_id=citrix_user), "alert", "ok") | table _time, trader_login, ad_id, citrix_user, action, status
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎03-05-2014 03:10 PM

I recommend that you have a look at how the Splunk CIM can be used to normalize your field names. The coalesce function for the eval command used below will make sure that you have a "user" field in both your sources.

You might be able to correlate your events using the transaction command:

source="A" OR source=VPN | lookup lookuptable.csv app_user | eval user=coalesce(ad_id,citrix_user) | transaction user | where eventcount > 2 |where mvcount(source)>1 | table _time, trader_login, ad_id, citrix_user, action

The transaction command will group the events that belong to one event. It has options to define the limits of the events that belong together such as maxspan or startswith. You could use the startswith parameter with a string that identifies your vpn login. By searching for transactions with an eventcount > 2 and that consist of events from mor than one source you should get results with a login event, a "source A" event and a logout event (this might need fine tuning though).

Just another thing I've noticed, is that you search for sources in your search. Usually it is best to use sourcetypes. But you might have a reason for doing it this way.

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎03-05-2014 03:10 PM

I recommend that you have a look at how the Splunk CIM can be used to normalize your field names. The coalesce function for the eval command used below will make sure that you have a "user" field in both your sources.

You might be able to correlate your events using the transaction command:

source="A" OR source=VPN | lookup lookuptable.csv app_user | eval user=coalesce(ad_id,citrix_user) | transaction user | where eventcount > 2 |where mvcount(source)>1 | table _time, trader_login, ad_id, citrix_user, action

The transaction command will group the events that belong to one event. It has options to define the limits of the events that belong together such as maxspan or startswith. You could use the startswith parameter with a string that identifies your vpn login. By searching for transactions with an eventcount > 2 and that consist of events from mor than one source you should get results with a login event, a "source A" event and a logout event (this might need fine tuning though).

Just another thing I've noticed, is that you search for sources in your search. Usually it is best to use sourcetypes. But you might have a reason for doing it this way.

Reply
Solved! Jump to solution

bcusick
Communicator
‎03-17-2014 11:41 AM

I meant to answer this earlier..but this worked like a charm. Thank you! And yes, my search was specific to certain sources.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...