Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to concat all rows in a single field able and use the result in another "search port IN"

vsasdao
Explorer
‎01-22-2021 04:11 AM

In my Search 1, it will list all unique port numbers associated with a certain IP address, i.e. 1.2.3.4

"MYTOKEN is: fcd4e600-eda2-4ee0-a3b3-093562f49c2e" | rex "1.2.3.4:(?<ipport>.*?) " | dedup ipport | table ipport | table ipport



And then I'd like to concatenate those ports into one long string delimitated with "," that is, "57432, 57453,57198" and finally this concatenated string will be used in another search, i.e 

"https_client-init <HTTP_REQUEST>: " | rex "2.3.4.5:(?<port>.*?) " | search port IN([search "MYTOKEN is: fcd4e600-eda2-4ee0-a3b3-093562f49c2e" | rex "1.2.3.4:(?<ipport>.*?) " | dedup ipport | table ipport | table ipport])

 

It will be really appreciated if someone could shed the light of how it can be solved. thanks in advance!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-22-2021 04:22 AM

Hi @vsasdao,

Please try below query;

"https_client-init <HTTP_REQUEST>: " | rex "2.3.4.5:(?<port>.*?) " | search  [search "MYTOKEN is: fcd4e600-eda2-4ee0-a3b3-093562f49c2e" | rex "1.2.3.4:(?<port>.*?) " | dedup port | fields port]

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

vsasdao
Explorer
‎01-22-2021 09:16 AM

it works well. Can you explain a bit how you've fixed it?

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-23-2021 05:23 AM

Great!

Subsearches formats the results into a single linear search string. You can this string by running the subsearch by adding "| format" command at the end. I changed field name to port to create suitable search string from subsearch.

You can find more detail in below doc.

https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/Search/Changetheformatofsubsearchresults

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-22-2021 04:22 AM

Hi @vsasdao,

Please try below query;

"https_client-init <HTTP_REQUEST>: " | rex "2.3.4.5:(?<port>.*?) " | search  [search "MYTOKEN is: fcd4e600-eda2-4ee0-a3b3-093562f49c2e" | rex "1.2.3.4:(?<port>.*?) " | dedup port | fields port]

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...