Splunk Search

append and transaction

jeff
Contributor

I have a pretty complex search where I'm trying to get the DHCP and ACS authentication logs correlated by MAC address for all workstations where a particular user logged into the wireless network.

index=main (host=dhcpserver) 
| extract mac
| search
  [ search host=csacs* index=main CSCOacs_Passed_Authentications
    [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* 
      | fields trans_id ] 
    | transaction maxpause=5s trans_id 
    | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac 
    | dedup mac 
    | fields mac ] 
| rex field=_raw "DHCPACK on (?<ip_assigned>[0-9\.]+) to [^\(]+\((?<hostname>[^\)]+)\)"
| fields _time host hostname ip_assigned mac
| append
  [ search host=csacs* index=main CSCOacs_Passed_Authentications
    [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* 
      | fields trans_id ] 
    | transaction maxpause=5s trans_id 
    | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac 
    | dedup mac 
    | fields _time host mac user ]
| transaction maxspan=20s mac

Everything is working okay except for the final transaction to join the transaction between the two systems. I verified the relevant events have the same MAC address and format (lowercase aa:aa:aa:aa:aa:aa) and are well within the maxspan time. Does transaction not work across appended searches?

Tags (2)

lguinn2
Legend

I think this search can be simplified:

 index=main (host=dhcpserver) 
 | extract mac
 | search
   [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=*  
     | dedup input
     | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac 
     | dedup mac 
     | fields mac ] 
 | rex field=_raw "DHCPACK on (?<ip_assigned>[0-9\.]+) to [^\(]+\((?<hostname>[^\)]+)\)"
 | fields _time host hostname ip_assigned mac
 | append
   [ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=*
     | transaction maxpause=5s trans_id 
     | lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac 
     | dedup mac 
     | fields _time host mac user ]
 | transaction maxspan=20s mac

But I think this is the answer to your question: transaction

"Given events as input, this command finds transactions based on events"

You are not passing events to the final transaction command: you are passing summarized search results.

0 Karma

simonzfor
Explorer

Is there really a difference between summarized search results and events? My impression is that append takes a result and just adds more events to it.

0 Karma

cscaldeira
Explorer

Hi Jeff. Did you get the answer for your question? I am having the same problem with append + transaction

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...