Splunk Search

Help with searching across 3 files where one file contains not obviously linkable transactions

mfrost8
Builder

I'm trying to construct a search containing data across 3 Juniper Steel-Belted Radius files. The first two files, sourcetyped as radius_act_log and radius_auth_log, are straight-forward CSV files with well-defined headers. I have extracted fields like User_Name for instance, allowing me to search with User_Name="Bob" for instance.

The third file, sourcetyped as radius_log, contains interleaved session information and this file is where the "meat" of our searching will hopefully be. Contents of the radius_log sourcetype look like this

...
05/18/2011 09:43:02 (17904)-----------------------------------------------------------
05/18/2011 09:43:02 (17904)Accounting Request
05/18/2011 09:43:02 (17904)Received From: ip=1.2.3.4 port=41234
05/18/2011 09:43:02 (17904)Packet : Code = 0x4 ID = 0x40
05/18/2011 09:43:02 (17904)Client Name = 3.4.5.6 Dictionary Name = Radius.dct
05/18/2011 09:43:02 (17904)Vector =
05/18/2011 09:43:02 (17904)000: dff32d66 b0f78418 a85647c8 043609fb |..-f.....VG..6..|
05/18/2011 09:43:02 (17904)Parsed Packet =
05/18/2011 09:43:02 (17904)NAS-Identifier : String Value = 3.4.5.6
05/18/2011 09:43:02 (17904)**User-Name : String Value = Bob**
05/18/2011 09:43:02 (17904)NAS-IP-Address : IPAddress = 3.4.5.6
05/18/2011 09:43:02 (17904)NAS-Port : Integer Value = 252151
05/18/2011 09:43:02 (17904)Framed-IP-Address : IPAddress = 2.3.4.5
05/18/2011 09:43:02 (17904)3GPP2-Correlation-ID : String Value = 9zrsaI2e
05/18/2011 09:43:02 (17904)Calling-Station-Id : String Value = 310002346738412
05/18/2011 09:43:02 (17904)Acct-Status-Type : Integer Value = 1
05/18/2011 09:43:02 (17904)Acct-Session-Id : String Value = 423ADCBE
05/18/2011 09:43:02 (17904)Funk-Source-IP-Address : IPAddress = 1.2.3.4
05/18/2011 09:43:02 (17904)-----------------------------------------------------------
05/18/2011 09:43:02 (17904)Determining if this radius should act as a proxy
05/18/2011 09:43:02 (17904)Sending accounting response
05/18/2011 09:43:02 (17904)Created new session record without old-style Class attribute for user Bob
05/18/2011 09:43:02 (17904)Accounting start contains ip address 2.3.4.5 currently in use
05/18/2011 09:43:02 (17904)Sending accounting response
05/18/2011 09:43:02 (17904)-----------------------------------------------------------
...

I can, of course, setup another field extraction to pull User_Name from the radius_log sourcetype as well. The trick here is that the user name appears only occasionally in radius_log. The number in parens, 17904 above, is the LogThreadId (also already extracted as a field) and that's what would link related events together. It's really their idea of a session, except that it's not a value that's logged in any other file. It's just a unique number they generate to help you see events relating to a particular session.

What I would like to be able to do is construct a search that will show me all activity by user Bob in the last 24 hours across all 3 files and similar kinds of searches. It seems to me that I need to identify the user name in radius_log, then look at what the LogThreadId field is for that user name in say the last 24 hours and return those (plus perhaps the results from the other 2 CSV files where it's just a simple User_Name="Bob" search). Or something like that. I'm just not sure how to do that.

I had toyed with the idea of having Splunk treat things from radius_log as a single event -- breaking on the "-------------" lines perhaps, but since each event has a separately logged date and time, that seemed kind of weird. In most cases where I see those, the time is identical but not always.

I'm hoping this is an easy one for someone who has better search skills than I.

Thanks

Tags (1)
0 Karma

Simeon
Splunk Employee
Splunk Employee

You probably need to create a transaction for each radius_log event. You can do this by using the 'transaction' command with your LogThreadId field:

sourcetype=radius_log | transaction field=LogThreadId maxspan=2s

After that is done, you now have a single 'event' that can be identified with the User Bob (just create a field extraction for the User Name which you have already done). Note that the transaction command can be expensive as it combines a lot of raw data.

sourcetype=radius_log | transaction field=LogThreadId maxspan=2s | search User_Name=Bob
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...