Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem: Searching for matching fields within multiple source types

KNichol5hd
Explorer
‎03-11-2013 11:48 AM

I am a new Splunk user who uses Splunk to find infected hosts on our network. I currently run 3 separate searches to pinpoint the users but would like to combine them into one with the goal of ultimately having this e-mailed to myself.

These are the following searches:
sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00

I then review these results to find the src_ip needed to run the subsequent searches.
Using the src_ip, I then run this search:
sourcetype=msdhcp earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 src_ip=###.###.##.###

I then review these results to find the MAC address associated with the first two searches.
Using the MAC address, I then run this search to determine the user associated with the MAC:
sourcetype=campusmgr earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 ##:##:##:##:##:##

Is there a way to combine these searches into one using map search or the eval commands?

Any insight would be appreciated. Thanks

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-11-2013 02:20 PM

You could combine the searches like this:

sourcetype=campusmgr earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 [search sourcetype=msdhcp earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 [search sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 | return 100 src_ip] | return 100 MAC]

return takes the subsearch results, picks out the specified field (src_ip or MAC) and builds an OR'd chain of up to 100 or however many you like matches, which then get applied to the outer search as a filter. In order for this to work nicely you need to extract the MAC as a field in the campusmgr sourcetype... which probably is a good idea on its own.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2013 05:47 PM

Note that you can leave out the time specifiers (earliest/latest) since you're using the same ones in all searches. Just specify the time using the time dropdown or the earliest/latest flags/parameters on the CLI or API, rather than directly in the query, and all searches and subsearches will use that time range.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...