Solved: Nearest Event of Type=X

blurblebot · ‎10-07-2010

How can I take an event with a given key(a)/value(b) pair and find the temporally nearest event with key(c)/value(d)? I thought transaction would be the way to go, but I've used it enough to know that I must not know what I need to know about it, if that's my best avenue.

The idea is that given an event:

Oct 26, 2032 src_ip=132.32.23.4 proto=udp

How can I find the very next event (only) containing

Oct 26, 2032 src_ip=132.32.23.4 rectype=tcpsession

OR

the nearest previous recent event (only) containing

Oct 26, 2032 src_ip=132.32.23.4 rectype=ipflow

OR better yet, both.

For me, the transaction would be:

search index=whatevs | transaction src_ip | search (rectype=tcpsession) (rectype=ipflow)

But this, even if given a maxspan, seems to often return an event set that while matches, doesn't necessarily limit the results or stick to my specified maxspan.

Any takers?

I'll buy you a pony.... Thanks

-s

Lowell · ‎10-07-2010

Have you tried using startswith/endswith?

index=whatevs | transaction src_ip startswith=("rectype=ipflow") endswith=("rectype=tcpsession")

Does that get you any closer?

View solution in original post

Lowell · ‎10-07-2010

Have you tried using startswith/endswith?

index=whatevs | transaction src_ip startswith=("rectype=ipflow") endswith=("rectype=tcpsession")

Does that get you any closer?

blurblebot · ‎10-08-2010

I come here before I go to documentation, apparently. I'm lonely.

Nearest Event of Type=X

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team