Use Case: Correlate logon events from a Windows desktop to events on the domain controller.
Sample (shortened) event from the desktop:
Sample (shortened) events from the domain controller:
The events on the domain controller occur within 1 second of the logon event being generated on the endpoint. The events on the DC and endpoint are linked by the
Proposed Splunk transaction search:
The result is 2 events/transactions instead of 1. The transaction command first groups all events with the same
How do I get a transaction based on the same value of both
An alternate approach we've tried is use a subsearch. The inner search first finds the events of interest on the desktop then passes the
if I understand this correctly, before the transaction command, determine which field you want to use based on the source.
... | eval unifyingField = if(source=dc,src, dvc) ...
(here i'm assuming the source of dc events is called dc)
In Splunk 4.1 transactions support field unification with multi-valued fields, so you can accomplish your goal by having a multivalued field (e.g. unifyingField) with both the src and dvc values and if any value is shared between events, they are compatible and can be in the same transaction.
answered 22 Jan '10, 03:42
Yes, Gerald and David's suggestion does indeed work in 4.0 and 4.1. The resulting search to perform the correlation is:
This is presuming events with ID 540 only happen on the domain controller and not on the desktops. Otherwise, another way to distinguish between desktop and DC events needs to be used.
Thank you for the pointers!
answered 28 Jan '10, 01:49
I would combine the two fields into a single multivalued field:
Yeah, it won't work in 4.0. You just need to do what David said.
Presumably there is some way you can tell the difference between the DC and the device. You could you any eval expression, or do a lookup first on a list of DCs or whatever.