Hi,
Ok at this point I can barely spell SPLUNK but I have gone through a bootcamp course and I'm trying to pull off my first assignment to correlate between two logs.
I have login data like username, AssignedIP, time/date in one log. I have outbound src_ip dest_ip traffic and time/date in another log. I know when a user is assigned an IP but I don't know when they stop other than seeing a new event assigning the IP to a different user.
AssignedIP = src_ip, is the link across the data sources but only within the time period that the user had the IP address.
I have two use cases:
1. Show me all the traffic for a particular user
2. Find the user that generated this traffic
I may have to specify the time and date and not just the last X days/weeks etc.
Can someone point me in the right direction how to build this search and correlate the data? Is this is better as a subsearch or a transaction. I know transactions are more costly but not sure when they are better to use.
Thanks for any help. Sorry for the newbie questions
Curt
... View more