I am attempting to search our networking logs based off the snort alert logs but I can't figure out how to perform the sub search correctly. This is what I have so far:
sourcetype=snort | eval snort_src=src_ip | eval snort_dest=dest_ip [search sourcetype=cisco_asa dest_ip=snort_destip | table NAT_Address] | table snort_src, snort_dest, NAT_Address
So basically this is what I want to accomplish
Hello @rmcdougal, I am assuming your field extraction exists for all fields for your sources. Also I think you need do some reading on search operations and sub searches. Here is how I might approach the problem, keep in mind I dont have the same data that you are using.
I also assume dest_ip exists in both sourcetypes. You may have to do work with time.
sourcetype=snort OR sourcetype=cisco_asa | selfjoin dest_ip | table src_ip, dest_ip, NAT_Address
sourcetype=snort | fields _time,src_ip, dest_ip| join dest_ip [search sourcetype=cisco_asa | fields _time,dest_ip, NAT_Address ]
sourcetype=snort OR sourcetype=cisco_asa | transaction dest_ip maxspan=5s | fields src_ip, dest_ip, NAT_Address
Consider reading Exploring Splunk Se4arch Processing Language (SPL)
I hope you this helps or gets you started. dont forget to accept or vote up answers. Cheers.