Help with Sub Searches

rmcdougal · ‎05-01-2013

I am attempting to search our networking logs based off the snort alert logs but I can't figure out how to perform the sub search correctly. This is what I have so far:

sourcetype=snort | eval snort_src=src_ip | eval snort_dest=dest_ip [search sourcetype=cisco_asa dest_ip=snort_destip | table NAT_Address] | table snort_src, snort_dest, NAT_Address

So basically this is what I want to accomplish

Return all Snort alerts
Rename the Snort src_ip field to snort_src (this is because the same field exists in the cisco logs)
Rename the Snort dest_ip field to Snort_dest
Search the Cisco logs for matches based on the snort dest_ip
Return NAT Address field
Table Snort_src, Snort_dest, NAT_Address

bmacias84 · ‎05-01-2013

Hello @rmcdougal, I am assuming your field extraction exists for all fields for your sources. Also I think you need do some reading on search operations and sub searches. Here is how I might approach the problem, keep in mind I dont have the same data that you are using.

I also assume dest_ip exists in both sourcetypes. You may have to do work with time.



sourcetype=snort OR sourcetype=cisco_asa | selfjoin dest_ip | table src_ip, dest_ip, NAT_Address

or



sourcetype=snort | fields _time,src_ip, dest_ip| join dest_ip [search  sourcetype=cisco_asa | fields _time,dest_ip, NAT_Address ]

or



sourcetype=snort OR sourcetype=cisco_asa | transaction dest_ip maxspan=5s | fields src_ip, dest_ip, NAT_Address

Consider reading Exploring Splunk Se4arch Processing Language (SPL)

I hope you this helps or gets you started. dont forget to accept or vote up answers. Cheers.

Help with Sub Searches

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases