Splunk Search

Correlate data with transaction

fahrenheit
New Member

Hi,

I am trying correlate data from ip watchlist app and events of firewall.

the search: (index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist)|transaction dest_ip,offending_ip maxspan=1d connected=f eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1

but isn´t working.

any idea?

thanks

0 Karma

Ayn
Legend

OK, but you haven't shown us what's wrong with these results, ie what results you really were expecting and why.

0 Karma

brettcave
Builder

I find using stats is a much better method for correlating data based on common fields.

stats list(some_field) AS all_values values(other_field) AS distinct_values by transaction_field

You can then pipe to things like mvexpand or eval's with multivalue functions to extract / count the data.

hth

0 Karma

fahrenheit
New Member

thanks brettcave,

I will try and inform you

0 Karma

fahrenheit
New Member

thanks, i will try

0 Karma

brettcave
Builder

You can also do something like this to get the IP into a single field from both event types if it works better for you:
... | eval ip=case(eventtype="cisco",dest_ip,eventtype="ip_watch",offending_ip) | chart c(eval(eventtype="cisco")) as number_of_cisco_events c(eval(eventtype="ip_watchlist")) as number_of_watchlist_events over day by IP

0 Karma

brettcave
Builder

(index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist) | eval day=strftime(_time,"%F") | chart c as number_of_events list(offending_ip) as offending_ips over day by dest_ip

use chart <aggr_func> over <field-x> by <field-y>, or stats <aggr_func> by <field-x>,<field-y>. Chart also supports the span parameter if you don't want to manually set the day using eval like I did - play around with it to get the exact results you are looking for.

0 Karma

fahrenheit
New Member

Hi brettcave,

I don´t know how do it, can you put an example?

thanks

regards

0 Karma

fahrenheit
New Member

the results

Aug 23 13:03:05 %ASA-6-302014: Teardown TCP connection 924351437 for Inside:x.x.x.x/1081 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeout
vie ago 23 13:03:26 CEST 2013 splunk-host=splunk offending-ip=61.191.188.70
Aug 23 13:03:26 10.1.233.1 %ASA-6-302014: Teardown TCP connection 924355686 for Inside:x.x.x.x/1084 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeouthost=x.x.x.x Options|
host=SPLUNK Options|
sourcetype=ciscoasa Options|
sourcetype=ipwatchlist Options|
source=/opt/splunk/etc/apps/splunkipwatchlist/bin/getbadip.sh

thanks

0 Karma

Ayn
Legend

"Isn't working" isn't very helpful. Please tell us more about the exact results, and what troubleshooting process you have gone through.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...