Splunk Search

Correlate events, get parameters from only one of the events

horizonsecurity
Explorer

Hi *,

I'm trying to correlate events with the transaction function.
This is my search:

source="auditd"| transaction msg | stats values(auid) AS Users values(exe) AS Commands values(a1) AS par1 values(a2) AS par2 values(a3) AS par3 BY msg

My need is that I want to group two strings that are part of a same event (msg) and to get some parameters from one event and one from the other. Unfortunately the parameters have the same name in both the events (a0, a1, a2, ...).

How can I tell to Splunk to distinguish the a1 from the first event against the a1 from the second event?


Example: one correlate event based on the msg, but with 2 diffenet type.
I want to take the a1, a2, ... from the type=EXECVE and not the one from type=SYSCALL.

   type=SYSCALL msg=audit(12/12/2012 08:37:06.190:17211) : arch=i386 syscall=execve success=yes exit=0 a0=9ba86d0 a1=9bad370 a2=9bad828 a3=0 items=2 ppid=10479 pid=24196 tty=pts0 ses=38 comm=cat exe=/bin/cat key=(null) 
    type=EXECVE msg=audit(12/12/2012 08:37:06.190:17211) : argc=2 a0=cat a1=/etc/passwd 

Thanks,

HS

1 Solution

Ayn
Legend

Do you know the order of the events, so for instance that the SYSCALL event comes before EXECVE (I'm guessing yes)? If so you can use the fact that when transaction encounters multiple values for a field, it will create a multi-valued field out of them. By default this multi-valued field is ordered alphabetically, but by specifying mvlist=t it will be ordered in the order the values were encountered. So you could do

... | transaction mvlist=t msg | eval a1_1=mvindex(a1,0) | eval a1_2=mvindex(a1,1) | ...

View solution in original post

Ayn
Legend

Do you know the order of the events, so for instance that the SYSCALL event comes before EXECVE (I'm guessing yes)? If so you can use the fact that when transaction encounters multiple values for a field, it will create a multi-valued field out of them. By default this multi-valued field is ordered alphabetically, but by specifying mvlist=t it will be ordered in the order the values were encountered. So you could do

... | transaction mvlist=t msg | eval a1_1=mvindex(a1,0) | eval a1_2=mvindex(a1,1) | ...

Ayn
Legend

Great! I noticed just now how I talked about the mvlist parameter but then totally forgot to actually put it into the example I gave - hope you didn't recreate my error 🙂 Anyways, I edited my answer now so that the transaction example is correct.

0 Karma

horizonsecurity
Explorer

Thanks! It works! I tried it before, but I put the eval(mvindex) after the stats ....

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...