Splunk Search

How to handle a session split up between multiple events without using transaction or subsearch?

smwilli1
Explorer

One of my VPN log sources is indexed all in different events, correlated by a session_id. This is making things very difficult for me when I am looking for specific events in the session. Consider every time I need a field other than what is in that specific log entry, I have to |transaction on the session to grab a field such as an IP or Username from that another event in that same session.

For example,
Lets say I want to alert on a user who has 20 failed VPN login attempts within a 10 minute period. Seems pretty easy? Well, this is pretty easy as long as I only want the timestamps, username, and the number of fails. I simply do the following:

sourcetype="VPN" "Authentication Fail" |transaction user maxspan=10m |where eventcount>=20 |eval numFails=eventcount |eval FirstFailure=_time |eval LastFailure=_time+duration |table user, FirstFailure, LastFailure, numFails

So thats not too bad. But now lets say I want the IPs associated with these failures, this gets a lot more complicated. The only way I have found to do this is the following:

sourcetype="VPN" "Authentication Fail" |transaction user maxspan=10m |where eventcount>=20 |eval numFails=eventcount |eval FirstFailure=_time |eval LastFailure=_time+duration |streamstats count as id |stats values(user) as user, values(FirstFailure) as FirstFailure, values(LastFailure) as LastFailure, values(numFails) as numFails, values(session_id) as session_id by id|append [search sourcetype="VPN" |stats values(user) as user values(external_ip) as external_ip by session_id |search user=* external_ip=*] |stats values(session_id) as session_id values(FirstFailure) as FirstFailure values(LastFailure) as LastFailure list(external_ip) as external_ip by user

As you can see, I have to subsearch for the VPN logs and stats on the session_id to pull back a external ip to the search, then stats again on the results to associate the IPs with the sessions I got in the main search. I also realize I could be missing a much easier way of doing this, since I am fairly new to these advanced searches in Splunk.

I am hoping to find suggestions on how to better deal with the sessions so i don't have to have a sub-search anytime i need a field from another log in the session. When getting into more complicated searches and correlations, this slows the search down a significant amount as well.

I have provided a sample of the logs below for everyone to take a look at. Thanks in advance!

Aug 26 18:21:35 (session_id): Received User-Agent header:
Aug 26 18:21:35 (session_id): New session from client IP 111.111.111.111
Aug 26 18:22:05 (session_id): Username 'user'
Aug 26 18:22:05 (session_id): SECURID module: authentication with 'user' failed: Authentication failed.
Aug 26 18:22:36 (session_id): Username 'user'
Aug 26 18:22:36 (session_id): Retry Username 'user'
Aug 26 18:22:38 (session_id): Access policy result: Full
Aug 26 18:22:41 (session_id): Assigned PPP IPv4: 101.101.101.101

1 Solution

Ayn
Legend

You can use eventstats for writing the various values to fields that you can then use.

For instance, let's say you want to do something related to the authentication failure events, and you have "user" straight from the event itself but you don't have the IP number, because this resides in another event for the same session - right?

Well, using eventstats you can do something like this:

... | eventstats first(external_ip) as external_ip by session_id | ...

Voilà, the field "external_ip" with the corresponding IP number now exists for all the events carrying the same session ID. Is this what you're after?

View solution in original post

Ayn
Legend

You can use eventstats for writing the various values to fields that you can then use.

For instance, let's say you want to do something related to the authentication failure events, and you have "user" straight from the event itself but you don't have the IP number, because this resides in another event for the same session - right?

Well, using eventstats you can do something like this:

... | eventstats first(external_ip) as external_ip by session_id | ...

Voilà, the field "external_ip" with the corresponding IP number now exists for all the events carrying the same session ID. Is this what you're after?

ppablo
Retired

Hi @smwilli1

Glad @Ayn helped you find a solution 🙂 Please be sure to accept their answer by clicking on the big check mark to the left of their response. This will mark this post as solved and other users with a similar issue will be more likely to turn to this post for help. Ayn will also be awarded 20 karma points and you'll receive 10. Thanks!

Patrick

0 Karma

smwilli1
Explorer

Awesome! That works perfectly for what i needed. Who knew it would be that simple, haha

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...