Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Correlate data with transaction

fahrenheit
New Member
‎08-23-2013 03:34 AM

Hi,

I am trying correlate data from ip watchlist app and events of firewall.

the search: (index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist)|transaction dest_ip,offending_ip maxspan=1d connected=f eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1

but isn´t working.

any idea?

thanks

0 Karma
Reply

Ayn
Legend
‎08-26-2013 12:23 AM

OK, but you haven't shown us what's wrong with these results, ie what results you really were expecting and why.

0 Karma
Reply

brettcave
Builder
‎08-23-2013 04:25 AM

I find using stats is a much better method for correlating data based on common fields. 

stats list(some_field) AS all_values values(other_field) AS distinct_values by transaction_field

You can then pipe to things like mvexpand or eval's with multivalue functions to extract / count the data.

hth

0 Karma
Reply

fahrenheit
New Member
‎08-29-2013 04:12 AM

thanks brettcave,

I will try and inform you

0 Karma
Reply

fahrenheit
New Member
‎08-26-2013 05:47 AM

thanks, i will try

0 Karma
Reply

brettcave
Builder
‎08-26-2013 02:13 AM

You can also do something like this to get the IP into a single field from both event types if it works better for you:
... | eval ip=case(eventtype="cisco",dest_ip,eventtype="ip_watch",offending_ip) | chart c(eval(eventtype="cisco")) as number_of_cisco_events c(eval(eventtype="ip_watchlist")) as number_of_watchlist_events over day by IP

0 Karma
Reply

brettcave
Builder
‎08-26-2013 02:11 AM

(index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist) | eval day=strftime(_time,"%F") | chart c as number_of_events list(offending_ip) as offending_ips over day by dest_ip

use chart <aggr_func> over <field-x> by <field-y>, or stats <aggr_func> by <field-x>,<field-y>. Chart also supports the span parameter if you don't want to manually set the day using eval like I did - play around with it to get the exact results you are looking for.

0 Karma
Reply

fahrenheit
New Member
‎08-26-2013 12:13 AM

Hi brettcave,

I don´t know how do it, can you put an example?

thanks

regards

0 Karma
Reply

fahrenheit
New Member
‎08-23-2013 04:10 AM

the results

Aug 23 13:03:05 %ASA-6-302014: Teardown TCP connection 924351437 for Inside:x.x.x.x/1081 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeout
vie ago 23 13:03:26 CEST 2013 splunk-host=splunk offending-ip=61.191.188.70
Aug 23 13:03:26 10.1.233.1 %ASA-6-302014: Teardown TCP connection 924355686 for Inside:x.x.x.x/1084 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeouthost=x.x.x.x Options|
host=SPLUNK Options|
sourcetype=ciscoasa Options|
sourcetype=ipwatchlist Options|
source=/opt/splunk/etc/apps/splunkipwatchlist/bin/getbadip.sh

thanks

0 Karma
Reply

Ayn
Legend
‎08-23-2013 03:50 AM

"Isn't working" isn't very helpful. Please tell us more about the exact results, and what troubleshooting process you have gone through.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...