I have connection logs for a database. I need to identify users making certain queries. I'd like to:
How do I string these searches together to get a list of user IP addresses doing a particular query? I suspect the "transaction" command is key here, but I haven't found a clue in the examples.
(1) Transaction
is very resource intensive and there is almost always a better way. If you post the non-confidential portions of the searches here, then we can be of more help.
(2) Often, this kind of thing will be much simpler if it is in a dashboard. That way, the time of the event can be detected from the first search and used to qualify the second and/or third searches. Otherwise, you end up coding something that has to search a massive amount of data for very little value.
Sourcetype="ldap" "filter=\"(id=1)\""
[07/Mar/2018:14:01:11 -0600] - OPERATION - INFO - conn=12345 op=123 msgid=456 SEARCH base="example.com" scope=2 controls="" filter="(id=1)" attrs="*"
Sourcetype="ldap" conn=12345 client
[07/Mar/2018:14:00:37 -0600] - CONNECT - INFO - conn=12345 client=10.0.0.2:56789
Sourcetype="loadbalancer" "10.0.0.2|56789"
Client_Acpt | Wed Mar 07 2018 14:00:37 | 10.0.0.5|56789| VIP | 10.0.0.4|636 | SNAT_IP | 10.0.0.2|56789 | Node | 10.0.0.3|636
I want a list of user IP addresses (such as 10.0.0.5 in this case) that searched with filter="(id=1)".