Hello

Thank you for your responses. The information is coming in view cef format, so the fields are somewhat different.

What I imagine it would look like is something like this... (we're using Imperva and TippingPoint)

index=(company acronym) cef_vendor="Imperva Inc." AND cef_vendor=TippingPoint | stats values by src | sort - count

The end result is I just want to see if attacking IP's are getting through to the IPS and hitting the firewall. Running the script above, I get no results. Removing one of the vendors, results pop up, so I'm assuming that none of the events can be correlated together? Sundareshr thanks for the example.

Thank you

At a time the field cef_vendor can't have both the values, so you should replace the AND with OR.

I'm curious though wouldn't it show up under both if it's going through one to get to the other?

Fur instance under TippingPoint it would be "action=Allow" and under Imperva Inc "action=Block".

Thank you

The filter is applied for every event , these two values will appear on separate events, so an AND operator will not work.

May be try something like this

index=(company acronym) cef_vendor="Imperva Inc." OR cef_vendor=TippingPoint | stats values(action) as action by src | where mvcount(action)=2

For better suggestions, you really need to provide more details on your data (what index/sourcetype fields are there) and your mock output.

Sorry first time doing something like this....

If I posted a redacted version of an event from index=(company acronym) cef_vendor="Imperva Inc." and one from cef_vendor=TippingPoint and removing any mention of the company that would be fine?

In terms of the index consider it the "main" index. Everything is on one index.

The sourcetype is just "CEF".

We're forwarding data from an ArcSight logger into the splunk environment....not ideal circumstances here...just working with what I have.

Yes, you can post redacted events or you can even create mock events and post those. The idea behind sharing the events is to show what the data looks like and the key fields from relevant devices.

Below are two events from both appliances:

Regarding share the expected output I thought I answered this? (sincerely....). When you say share expected output I'm thinking "I just want the attacker addresses making it through the clients IPS and hitting their firewall." Apologies for the miscommunication....what are you looking for if this isn't it?

CEF:0|Imperva Inc.|SecureSphere|11.5.0|Custom|Custom Violation|Medium| eventId=9308631149 proto=TCP catdt=Network-based IDS/IPS art=1470932478330 cat=Alert deviceSeverity=Medium act=Block rt=1470932472000 shost=researchscan271.eecs.umich.edu src=141.212.122.16 sourceZoneURI=/All Zones/ArcSight System/Public Address Space Zones/RIPE NCC/141.0.0.0-141.255.255.255 (RIPE NCC) spt=1254 dst=172.20.50.11 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 dpt=80 duser=n/a cs1=Custom_Blocked_UserAgents cs2=(redacted) cs3=(redacted) cs4=(redacted) cs5=Custom_Blocked_UserAgents cs6=747586722184 cs1Label=Policy cs2Label=ServerGroup cs3Label=ServiceName cs4Label=ApplicationName cs5Label=Description cs6Label=EventID ahost=WIN-MFGNMJGIUIK agt=172.16.227.50 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 av=7.0.1.6963.0 atz=America/New_York aid=3A2MJJEUBABCAA3I6E0GXmg\=\= at=syslog dvc=172.16.227.74 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 dtz=America/New_York _cefVer=0.1 ad.cs7= ad.cs7Label=SessionID

CEF:0|TippingPoint|SMS||7120|TCP: Segment Overlap With Different Data, e.g., Fragroute|Medium| eventId=9310952616 externalId=35354 app=ip/IP categorySignificance=/Informational/Warning categoryBehavior=/Communicate categoryTechnique=/Traffic Anomaly/Transport Layer categoryDeviceGroup=/IDS/Network categoryOutcome=/Failure categoryObject=/Network art=1470934026394 cat=Application/Protocol Anomaly - Protocol Anomaly deviceSeverity=Low act=Block rt=1470933958006 src=216.82.250.247 sourceZoneURI=/All Zones/ArcSight System/Public Address Space Zones/ARIN/216.0.0.0-216.255.255.255 (ARIN) spt=21360 dst=8.36.160.48 destinationZoneURI=/All Zones/ArcSight System/Public Address Space Zones/Level 3 Communications Inc. 2 dpt=25 requestClientApplication=Other Service or Server Application cs2=00000002-0002-0002-0002-000000007120 cs3=00000001-0001-0001-0001-000000007120 cs4=ANY ANY cs5=172.16.7.240 flexString1=1 cn1=0 cn2=100739839 cs2Label=policyUUID cs3Label=signatureUUID cs4Label=ZoneNames cs5Label=Device Name cn1Label=VLAN ID cn2Label=Alarm Id ahost=WIN-MFGNMJGIUIK agt=172.16.227.50 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 172.16.0.0-172.31.255.255 av=7.0.1.6963.0 atz=America/New_York aid=3A2MJJEUBABCAA3I6E0GXmg\=\= at=syslog dvchost=(redacted) dtz=America/New_York deviceInboundInterface=2 _cefVer=0.1

see updated answer

Yes, that would be fine. Also share the expected output.