How do I string certain searches together to get a...

dangerusty · ‎03-07-2018

I have connection logs for a database. I need to identify users making certain queries. I'd like to:

Search for a string identifying the query
Check that whole transaction for the original "open connection" event to get the IP address
The IP address is a load balancer, so I have to check that IP/port in the load balancer logs to get the actual user IP address

How do I string these searches together to get a list of user IP addresses doing a particular query? I suspect the "transaction" command is key here, but I haven't found a clue in the examples.

DalJeanis · ‎03-07-2018

(1) Transaction is very resource intensive and there is almost always a better way. If you post the non-confidential portions of the searches here, then we can be of more help.

(2) Often, this kind of thing will be much simpler if it is in a dashboard. That way, the time of the event can be detected from the first search and used to qualify the second and/or third searches. Otherwise, you end up coding something that has to search a massive amount of data for very little value.

dangerusty · ‎03-07-2018

Sourcetype="ldap" "filter=\"(id=1)\""

[07/Mar/2018:14:01:11 -0600] - OPERATION - INFO - conn=12345 op=123 msgid=456 SEARCH base="example.com" scope=2 controls="" filter="(id=1)" attrs="*"

Sourcetype="ldap" conn=12345 client

[07/Mar/2018:14:00:37 -0600] - CONNECT - INFO - conn=12345 client=10.0.0.2:56789

Sourcetype="loadbalancer" "10.0.0.2|56789"

Client_Acpt | Wed Mar 07 2018 14:00:37 | 10.0.0.5|56789| VIP | 10.0.0.4|636 | SNAT_IP | 10.0.0.2|56789 | Node | 10.0.0.3|636

I want a list of user IP addresses (such as 10.0.0.5 in this case) that searched with filter="(id=1)".

How do I string certain searches together to get a list of user IP addresses doing a particular query?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!