Splunk Search

correlate events that matches on time, and ip address

phudinhha
Explorer

I have two indexes.
1- dns log with source IP with _time field
2 - dhcp log with dhcp IP with _time field

I figured out a way to match source IP of DNS Log and source IP of DHCP Log. However, what concerns me is the differences in time between these two indexes. Is there anyway to display the table as DNS_TIME, DHCP TIME (approximately 5m windows different), DHCP_hostname ???

I would really appreciate if anyone could help me with this!

0 Karma

mlf
Path Finder

Sounds like the transaction command with the maxspan option might be what you're after. Without sample logs, it's hard to tell, but something like:

| transaction IP maxspan=5m

might work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...