|
Hi, Ok at this point I can barely spell SPLUNK but I have gone through a bootcamp course and I'm trying to pull off my first assignment to correlate between two logs. I have login data like username, AssignedIP, time/date in one log. I have outbound src_ip dest_ip traffic and time/date in another log. I know when a user is assigned an IP but I don't know when they stop other than seeing a new event assigning the IP to a different user. AssignedIP = src_ip, is the link across the data sources but only within the time period that the user had the IP address. I have two use cases: 1. Show me all the traffic for a particular user 2. Find the user that generated this traffic I may have to specify the time and date and not just the last X days/weeks etc. Can someone point me in the right direction how to build this search and correlate the data? Is this is better as a subsearch or a transaction. I know transactions are more costly but not sure when they are better to use. Thanks for any help. Sorry for the newbie questions Curt |
|
Yes, I have looked at transactions. And I've been trying to figure out how it works. I've looked at a lot of examples but they all seem to use the same log where I'm trying to go across multiple logs. My biggest issue is figuring out what exactly you put in the transaction command to tie fields together. Maybe it's because the fields are not the same name in each log. If that's the case I have to figure out how to either redefine, rename or create duplicates with the same name. Curt search <multiple logs=""> | transaction maxspan=5m field. I suppose you knew that already, what you need is to have a common field between the logs. You will need to the rex command to help you along here. Usually there is some identifier, like ID or client ip.
(05 Aug '11, 10:39)
fk319
|