I am trying to run a report where from my iis logs I want to pull request urls that have the keywords union and select in it and want to get the top source ip's that are generating these requests. My query below return the top ip's that generate requests with the keywords but its not displaying the actual requests that are indexed under the cs_uri_query field.
sourcetype=iis union select | top limit=20 c_ip | table cs_uri_query, c_ip
So see why it's behaving the way it does, back up a step in the search. Treat your splunk search just like the linux pipeline: The output from one command is the input for the next. So in your case, your table
command is working with the output of the top
command. What is the output of the top
command? That's easy to see by removing everything after it:
sourcetype=iis union select | top limit=20 c_ip
When you run that, look at the output. More specifically, look at what's not there anymore: Your cs_uri_query
field. Since it is not a part of the output of your top
command, it's impossible for the table
to display it. So this tells us that top
might not be the best way to get the information you want. (at least, not directly)
Now, comes the hard question: What do you actually expect your output to be? Your question doesn't make this clear, so I'm going to assume you want all the requests from the top 20 IP's. If so, we're going to need to do some sub search magic:
sourcetype=iis union select [search sourcetype=iis union select | top limit=20 c_ip | table ip | format] | table cs_uri_query, c_ip
The magic here is in the sub search. (everything inside the []
's is it's own search) The sub search generates a list of your top 20 c_ips, and turns them into search parameters for the outer search. So what splunk actually sees is:
sourcetype=iis union select ( (c_ip="X.X.X.X") OR (c_ip="Y.Y.Y.Y") OR ... ) | ...
This will give you a table of every request from those specific IP's having either 'union' or 'select' in them.