Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Joining Searches for Authentication Times
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Joining Searches for Authentication Times
dsmeerkat
Explorer
05-01-2014
07:35 AM
So I have two searches; one for the client_vpn_asa and one for the nac, they both require regex:
index=client_vpn_asa "ASA-4-722051" | rex field=_raw ".*?ASA-4-722051: Group \<(?<Group>.*?)\> User \<(?<username>.*?)\> IP \<(?<Source_IP>\\d+.\\d+.\\d+.\\d+)\> Address \<(?<Framed_IP>\\d+.\\d+.\\d+.\\d+)\> assigned to session" | fields + _time, host, Group, username, Source_IP, Framed_IP | fields - "_cd","_indextime","_kv","_raw","_serial","_si","_sourcetype"
and
index=nac | rex field=_raw "(?P<Source_IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "(?P<username>\w{1,30}\\\.\S+)" | rex field=_raw "(?P<email_addr>\S+@\S+)" | eval analysis=if(isnull(username),0,1) | eval user=case(analysis=="0", email_addr, analysis=="1", username)
I tried "join username [search index=nac......]" didn't work right.
What I want to do is see how long it takes a user to hit the ASA, get authenticated and then be authorized by the NAC...what is the total time of that transaction by user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-01-2014
08:40 AM
Try something like this
index=client_vpn_asa "ASA-4-722051" | rex field=_raw ".*?ASA-4-722051: Group \<(?<Group>.*?)\> User \<(?<username>.*?)\> IP \<(?<Source_IP>\\d+.\\d+.\\d+.\\d+)\> Address \<(?<Framed_IP>\\d+.\\d+.\\d+.\\d+)\> assigned to session" | fields + _time, host, Group, username, Source_IP, Framed_IP | fields - "_cd","_indextime","_kv","_raw","_serial","_si","_sourcetype"
|append [search index=nac | rex field=_raw "(?P<Source_IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "(?P<username>\w{1,30}\\\.\S+)" | rex field=_raw "(?P<email_addr>\S+@\S+)" | eval analysis=if(isnull(username),0,1) | eval user=case(analysis=="0", email_addr, analysis=="1", username)]
|transaction username maxevents=2 | table _time , username, duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-01-2014
09:13 AM
Yes and yes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dsmeerkat
Explorer
05-01-2014
08:55 AM
Very nice indeed, so this is the duration between the ASA and NAC, right? Duration here is in seconds?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dsmeerkat
Explorer
05-01-2014
08:19 AM
So what I want to do is have a username, with an entry from the ASA first, then an entry from the NAC....so i can calculate the time from first seen on the ASA to successful authentication on the NAC....
Get Updates on the Splunk Community!
Join Us for Splunk University and Get Your Bootcamp Game On!
If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
