Splunk Search

Align results with time differences

crt89
Communicator

Good day Splunkers,

I'm having a problem with my search, well this is what I am trying to achieved.
I have 2 sources (AD events and DHCP events). I am retrieving Account_Name and Workstation_Name fields from AD while Host_Name and Description fields from DHCP. I am using join in my search and using the _time and IP Address as the common fields for both the searches. I did come up with results table. Great !
Here's what I have come up with my search:
index=ad sourcetype="WMI:WinEventLog:Security" CategoryString="Logon" Source_Network_Address=10.225.105.162 | rex "(?i)New\sLogon:\s+Security\sID:\s+.+\s+Account\sName:\s+(?P.+)" | eval Time=round(_time,0) | table Time, Account_Name, Workstation_Name | join Time [search index=dhcp_index IP_Address=10.225.105.162 Description=Assign OR Description=Renew | eval Time=_time | table Time,Host_Name,Description] | convert ctime(Time)

Well here comes my problem, there are events from AD that doesn't match the time from the DHCP source, like a second (or sometimes more) difference. My search won't output results since it can't match the same time on both sources.

See image:
AD source
alt text

DHCP source
alt text

I'm kinda out of search strings to use here. Is there a way I can set the seconds to match and align the results from both sources? I could use some help and guidance from our Search Gurus here.

Thanks,
crt

1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Joining with fuzzy time may be achieved by using transaction:

<filters for AD events> OR <filters for DHCP events> | <rex stuff> | transaction <common_field> maxspan=5s

Not sure if your data has common fields... but if it doesn't then joining by time is crap anyway, how to be sure no two DHCP/AD super-events happen at roughly the same time?

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Joining with fuzzy time may be achieved by using transaction:

<filters for AD events> OR <filters for DHCP events> | <rex stuff> | transaction <common_field> maxspan=5s

Not sure if your data has common fields... but if it doesn't then joining by time is crap anyway, how to be sure no two DHCP/AD super-events happen at roughly the same time?

crt89
Communicator

Hi @martin_mueller !

Thanks for this. I did manage to stick together the events from AD and DHCP with time differences. I did the transaction command with maxspan with no common field to join.

Here's what my end result table is:
alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...