Hey
I'm trying to create a search app for tcpdump - a splunk version of mk-tcp-model.
I need to somehow associate the tcpdump packets with one another. For example the tcpdump ouptut im ingesting is:
2011-08-15 13:28:36.851862 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 78
2011-08-15 13:28:36.853024 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 64
2011-08-15 13:28:36.853138 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 11
2011-08-15 13:28:36.853230 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 37
2011-08-15 13:28:36.853321 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 99
2011-08-15 13:28:40.862205 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 22
2011-08-15 13:28:40.862334 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 64
2011-08-15 13:28:40.862379 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 9
2011-08-15 13:28:40.862438 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 11
2011-08-15 13:28:40.863192 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 19
2011-08-15 13:28:40.863448 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 175
2011-08-15 13:28:40.863543 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 16
2011-08-15 13:28:40.863646 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 113
2011-08-15 13:28:41.590145 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 5
The contains the query and response in sequence -eg:
2011-08-15 13:28:36.851862 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 78
2011-08-15 13:28:36.853024 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 64
A single query that took 13:28:36.853024 -13:28:36.851862 seconds to execute.
2011-08-15 13:28:36.853138 IP 127.0.0.1.3306 > 127.0.0.1.52888: tcp 11
2011-08-15 13:28:36.853230 IP 127.0.0.1.52888 > 127.0.0.1.3306: tcp 37
A single query that took 13:28:36.853230 -13:28:36.853138 seconds to execute.
and so on..
So I'm having trouble building a transaction within spunk for them. I'm not sure if I can or not.
It hink this is what will work:
source="/tmp/tcpdump.out" sourcetype="out-too_small" | rename srcipport as ipport | rename dstipport as ipport | transaction ipport maxevents=2
Has anyone else done this before?
... View more