Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

One event marks the the end of first transaction and begining of the next

supersleepwalke
Communicator
‎10-03-2012 09:36 AM

I have VPN logs which contain some entries where the internal IP changes. I want this data in two different sessions, but the "IP change" message in both transactions:

Oct  1 16:37:22 10.20.020.002 Juniper: 1011-10-00 16:37:22 - qn - [110.01.003.200] ben(MYDOMAIN GIA)[Users] - Session timed out for ben/MYDOMAIN GIA due to inactivity (last access at 16:15:32 2012/10/01). Idle session identified during routine system scan.
Oct  1 13:15:31 10.20.020.002 Juniper: 1011-10-00 13:15:31 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Remote address for user ben/MYDOMAIN GIA changed from 110.01.003.120 to 110.01.003.200.
Oct  1 09:53:18 10.20.020.002 Juniper: 1011-10-00 09:53:18 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Agent login succeeded for ben/MYDOMAIN GIA from 110.01.003.120.

I want two transactions:

Transaction one:

Oct  1 16:37:22 10.20.020.002 Juniper: 1011-10-00 16:37:22 - qn - [110.01.003.200] ben(MYDOMAIN GIA)[Users] - Session timed out for ben/MYDOMAIN GIA due to inactivity (last access at 16:15:32 2012/10/01). Idle session identified during routine system scan.
Oct  1 13:15:31 10.20.020.002 Juniper: 1011-10-00 13:15:31 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Remote address for user ben/MYDOMAIN GIA changed from 110.01.003.120 to 110.01.003.200.

Transaction two:

Oct  1 13:15:31 10.20.020.002 Juniper: 1011-10-00 13:15:31 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Remote address for user ben/MYDOMAIN GIA changed from 110.01.003.120 to 110.01.003.200.
Oct  1 09:53:18 10.20.020.002 Juniper: 1011-10-00 09:53:18 - qn - [110.01.003.120] ben(MYDOMAIN GIA)[Users] - Agent login succeeded for ben/MYDOMAIN GIA from 110.01.003.120.

Notice that the event at 13:15:31 is in both transactions.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

supersleepwalke
Communicator
‎10-04-2012 01:07 PM

Found an even cleaner solution. For the lines that you want in both transactions, duplicate them, and change the src_ip with eval. Then you can use a single transaction command:

sourcetype=juniper  ("agent login" OR "Session timed out for" OR "Logout from" OR "Max session timeout for" OR "Remote address for user") 
| append [ search sourcetype=juniper  "Remote address for user" 
           | rex "to (?<new_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\."
           | eval src_ip=new_ip ] 
| sort -_time
| transaction user,src_ip

Now the log events that describe the IP change will appear in both the ending and beginning transaction. The text (_raw) will appear the same but the extracted src_ip field will be changed for the begining transaction to trick it into matching properly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

supersleepwalke
Communicator
‎10-04-2012 01:07 PM

Found an even cleaner solution. For the lines that you want in both transactions, duplicate them, and change the src_ip with eval. Then you can use a single transaction command:

sourcetype=juniper  ("agent login" OR "Session timed out for" OR "Logout from" OR "Max session timeout for" OR "Remote address for user") 
| append [ search sourcetype=juniper  "Remote address for user" 
           | rex "to (?<new_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\."
           | eval src_ip=new_ip ] 
| sort -_time
| transaction user,src_ip

Now the log events that describe the IP change will appear in both the ending and beginning transaction. The text (_raw) will appear the same but the extracted src_ip field will be changed for the begining transaction to trick it into matching properly.

0 Karma
Reply
Solved! Jump to solution

supersleepwalke
Communicator
‎10-03-2012 09:48 AM

Thanks to Ayn for helping with this answer in the IRC channel.

The answer is to search for the session beginning with the "Agent login succeeded" first and separately, then get the IP change transaction, and "append" them:

sourcetype=juniper | transaction user,src_ip | search "agent login"
| append [search sourcetype=juniper 
    | transaction user endswith=("Session timed out for" OR "Logout from" 
        OR "Max session timeout for") startswith="Remote address for user"]
| sort _time

The first search keeps only sessions with matching IP addresses, so it will end with the IP change message.

The second search (with "append") find the second half where the IP changes until the closing message of the session.

Apply sort for good measure.

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...