Solved: Transaction to show events with more than 1 source...

axinjakson · ‎05-10-2012

I am attempting to search across 3 different sources and provide events that occur on more than 1 source only. Meaning firewall1 and firewall2 saw events in say, the same 20 minute window...

I am able to do this with a huge "stats values" table output and "search where" after, however I feel that is terribly inefficient.

Looking for something to output either raw event logs or to a table is fine, stats with count, etc etc. I am open to suggestions.

Here is my basic thought for the search, attempting src+dst IP pairs as the unique identifier

source1 OR source2 OR source3 | transaction src,dst where source>1 maxspan=20m

Ayn · ‎05-10-2012

You could use streamstats to get a distinct count of sources for each transaction and then single out the transactions with more than one source using where:

source="source1" OR source="source2" OR source="source3" | transaction src,dst maxspan=20m | streamstats window=1 dc(source) AS sourcecount | where sourcecount>1

View solution in original post

Ayn · ‎05-10-2012

You could use streamstats to get a distinct count of sources for each transaction and then single out the transactions with more than one source using where:

source="source1" OR source="source2" OR source="source3" | transaction src,dst maxspan=20m | streamstats window=1 dc(source) AS sourcecount | where sourcecount>1

Transaction to show events with more than 1 source only

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases