Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Correlate data with transaction

fahrenheit
New Member
‎08-23-2013 03:34 AM

Hi,

I am trying correlate data from ip watchlist app and events of firewall.

the search: (index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist)|transaction dest_ip,offending_ip maxspan=1d connected=f eval count_sourcetypes=mvcount(sourcetype)|where count_sourcetypes>1

but isn´t working.

any idea?

thanks

0 Karma
Reply

Ayn
Legend
‎08-26-2013 12:23 AM

OK, but you haven't shown us what's wrong with these results, ie what results you really were expecting and why.

0 Karma
Reply

brettcave
Builder
‎08-23-2013 04:25 AM

I find using stats is a much better method for correlating data based on common fields. 

stats list(some_field) AS all_values values(other_field) AS distinct_values by transaction_field

You can then pipe to things like mvexpand or eval's with multivalue functions to extract / count the data.

hth

0 Karma
Reply

fahrenheit
New Member
‎08-29-2013 04:12 AM

thanks brettcave,

I will try and inform you

0 Karma
Reply

fahrenheit
New Member
‎08-26-2013 05:47 AM

thanks, i will try

0 Karma
Reply

brettcave
Builder
‎08-26-2013 02:13 AM

You can also do something like this to get the IP into a single field from both event types if it works better for you:
... | eval ip=case(eventtype="cisco",dest_ip,eventtype="ip_watch",offending_ip) | chart c(eval(eventtype="cisco")) as number_of_cisco_events c(eval(eventtype="ip_watchlist")) as number_of_watchlist_events over day by IP

0 Karma
Reply

brettcave
Builder
‎08-26-2013 02:11 AM

(index=test sourcetype=cisco_asa teardown) OR (index=test sourcetype=ip_watchlist) | eval day=strftime(_time,"%F") | chart c as number_of_events list(offending_ip) as offending_ips over day by dest_ip

use chart <aggr_func> over <field-x> by <field-y>, or stats <aggr_func> by <field-x>,<field-y>. Chart also supports the span parameter if you don't want to manually set the day using eval like I did - play around with it to get the exact results you are looking for.

0 Karma
Reply

fahrenheit
New Member
‎08-26-2013 12:13 AM

Hi brettcave,

I don´t know how do it, can you put an example?

thanks

regards

0 Karma
Reply

fahrenheit
New Member
‎08-23-2013 04:10 AM

the results

Aug 23 13:03:05 %ASA-6-302014: Teardown TCP connection 924351437 for Inside:x.x.x.x/1081 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeout
vie ago 23 13:03:26 CEST 2013 splunk-host=splunk offending-ip=61.191.188.70
Aug 23 13:03:26 10.1.233.1 %ASA-6-302014: Teardown TCP connection 924355686 for Inside:x.x.x.x/1084 to Internet:112.106.156.81/80 duration 0:00:30 bytes 0 SYN Timeouthost=x.x.x.x Options|
host=SPLUNK Options|
sourcetype=ciscoasa Options|
sourcetype=ipwatchlist Options|
source=/opt/splunk/etc/apps/splunkipwatchlist/bin/getbadip.sh

thanks

0 Karma
Reply

Ayn
Legend
‎08-23-2013 03:50 AM

"Isn't working" isn't very helpful. Please tell us more about the exact results, and what troubleshooting process you have gone through.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...