Using Eval to get timespan to apply to subsearch

ltrand · ‎05-07-2015

I'm looking for a way that I can take some logon logs and figure out the firewall logs for only when the user had the IP. Because it's a VPN pool, the IP's refresh and get reused quickly, so I'm trying to build a correlation that can positively match the activity to an endpoint.

What I have so far:
(sourcetype=WinEventLog:Security AccountName="username" | transaction TaskCategory startswith=Logon endswith="Logon/Logoff"| table _time TaskCategory Source_Network_Address

I would like to do a subsearch that is logically similar to this:

in sourcetype=fwlogs where src_ip=Source_Network_Address starts with transaction start-time-ends with transaction-end-time

Any thoughts?

woodcock · ‎05-07-2015

This should do the trick (replace < with "<" and > with ">"; stupid markdown bugs):

sourcetype=WinEventLog:Security AccountName="username"
| transaction TaskCategory startswith=Logon endswith="Logon/Logoff"
| eval startTime=_time | eval endTime=_time+duration
| map search="search sourcetype=fwlogs src_ip=$Source_Network_Address$ _time&gt;=$startTime$ _time&lt;=$endTime$

Using Eval to get timespan to apply to subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!