matching events across different logs

snickers314 · ‎12-20-2010

Hi, I need to match events across different logs. I believe that this should be done using transactions, but I'm not able to get it to work. My scenario is as follows:

Log A: has info about users logging into System A
Log B: has info about users logging into System B

If a user appears in one, it should have a companion entry in the other.

I need to find all users that logged to one, but not the other.

Individually, I can find users in each log by doing a simple:

search index=indexA userName

but I can't find a way of saying "once you find it in indexA, look for it in indexB, and alert me if you can't"

Any advice is greatly appreciate.

Simeon · ‎12-20-2010

You probably want to use a sub search that pulls the user id and matches (or NOT) across the other file. To do this:

Create a field extraction for the userid in Log A & B. The field name should be exactly the same in both extractions.
Search for all users that logged into System A and output only the userids. Similar to:

source=Log_A user_logged_in | fields userid
Use the latter search as the subsearch to find log ins for Log B. You must make sure the a field extraction exists for userid in Log B, otherwise the values passed from the subsearch won't match anything. Similar to:

source=Log_B [search source=Log_A user_logged_in | fields userid]

So, the above search should find all users that logged in to System A & B. To find users that have not logged into both, you should be able to NOT the sub search.

source=Log_B NOT [search source=Log_A user_logged_in | fields userid]

matching events across different logs

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...