Splunk Search

Correlation of events

splaccount123
New Member

Hi! Is it possible to create a correlation of fields over several different events?

For example, I have to find all users who have 2 definite IPs in different events.
So IP2 doesn't relevant and I have to find users who have IP1 and IP3 only.

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex \s+user\s*=\s*(?<user>\S+)\s+eventa\s*=\s*(\S+) | stats values(*) AS * BY user | search eventa="A" AND eventa="B"
0 Karma

Richfez
SplunkTrust
SplunkTrust

For your example in comments of

12/7/15 5:30:11.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:11 user=JSF eventa=A
12/7/15 5:30:13.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:13 user=JSF eventa=B
12/7/15 5:30:16.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:16 user=TEST eventa=A
12/7/15 5:30:24.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:24 user=JSF eventa=C
12/7/15 5:30:30.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:30 user=TEST eventa=C

Where you want to find all users who have eventa=A and eventa=B. In your example, JSF would fit that criteria but TEST would not.

index=<myindex> <my other root search stuff>  | stats list(eventa) AS Events, count BY user | search Events=A AND Events=B

So, after building your initial search that returns the above data, we'll push it through stats to group things together by user. There are quite a few more options possible if you want different values or types of fields to be available. Once you have them grouped, the next command runs a search against that result and finds only those records where it now contains BOTH an A and a B.

user    Events  count
JSF         C    3
           B    
           A

Lol, I have no idea if that will end up aligned right. Here, try this "pseudo-output"

user     Events     count
 JSF      C, B, A      3

The 3 is the count of the number of original events that "make up" the new grouped event.

0 Karma

woodcock
Esteemed Legend

Show a minimal set of raw event data with fields indicated and a mockup of your desired output with a bit of description about any trickiness (logic/math) in getting from start to finish.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you provide more details with sample data and corresponding expected output?

0 Karma

robJack01
New Member

Ok, for example with different events

12/7/15 5:30:11.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:11 user=JSF eventa=A
12/7/15 5:30:13.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:13 user=JSF eventa=B
12/7/15 5:30:16.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:16 user=TEST eventa=A
12/7/15 5:30:24.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:24 user=JSF eventa=C
12/7/15 5:30:30.000 PM CEF:0|SI|Audit|1.0|0005|Successful|3|rt=Dec 07 2015 17:30:30 user=TEST eventa=C

Here I have to find all users who have eventa=A and eventa=B
Is it possible?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk Life | Splunk is Officially Part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint. Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...