Hi there,
I'm into correlation searches now and I'm stuck on a problem combining tree tables, while certain conditions need to be met.
In my company administrators do configuration changes according to tickets in a ticket manager.
Table 1 (srctype=Changes) contains Change-Sessions by the Admins
02-10-15 07:40:00 LOGON 172.16.9.11 192.168.122.199 user1
02-10-15 07:41:00 CHNGE 172.16.9.11 192.168.122.199 user1
02-10-15 07:41:10 CHNGE 172.16.9.11 192.168.122.199 user1
02-10-15 07:41:20 CHNGE 172.16.9.11 192.168.122.199 user1
02-10-15 07:42:20 LOGOF 172.16.9.11 192.168.122.199 user1
Table 2 (deviceip_devicename) lists known devices an their corresponding IP address
192.168.122.187,lan-switch-1
192.168.122.199,lan-switch-2
Table 3 (srctype=Tickets) lists all changes that admins were allowed to do
02-10-15 07:35:00 configchange user1 lan-switch-2 IM735903
You see here that I first have to join Table 1 and Table 2 with the IP, to then join them together with Table 3.
The conditions I want to check are if there is a valid change-ticket (Ticket-ID IM*) to a change-session.
You also notice that the time of the change-ticket is different to the time of the change-session. When there is a change ticket for 07:35 the change should be possible for one hour. When the change is done after this period of time the change should be invalid.
----------
So far I've written the following search:
index=_* OR index=* sourcetype=Changes
|transaction Source_IP Destination_IP Username startswith="LOGON" endswith="LOGOF"
| join Destination_IP [inputlookup deviceip_devicename | rename Device_IP AS Destination_IP]
| join type=left date_hour [search sourcetype=Ticketcenter | fields Ticket_ID Device_Name date_hour]
| where Ticket_ID!=""
Thanks in advance! :-)
↧