Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert to trigger secondary search

gdavid
Path Finder
‎02-27-2016 04:26 AM

Is there any easy way for an alert to trigger another search?

my use case is for an account lockout to trigger a search for failed login attempts for that account, so i do want to pass in some result variables. it looks like i can do this with $result.field$, but not sure if i need to write my own script for this or if there is an easier way.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-27-2016 02:19 PM

Here's a rough untested idea of how to merge the two searches:

  (eventtype=msad-account-lockout out) OR (eventtype="msad-failed-user-logons" EventCode=4625)
| stats values(eventtype) as et values(displayName) values(email) ... values(src) values(src_ip) ... by user
| search et=msad-account-lockout

That'll effectively join the two eventtypes together by user, and only return users that actually had a lockout in the realtime search window.

0 Karma
Reply

gdavid
Path Finder
‎02-27-2016 11:28 AM

Right now the workflow is realtime alert on this search:

Lockout Alert:

eventtype=msad-account-lockout out | lookup AD_Users_Lookup sAMAccountName as user | table _time, displayName, user, email, telephoneNumber, mobile, pwdLastSet, description, Caller_Computer_Name, dest_nt_host   | rename  Caller_Computer_Name as "Occurred On", mobile as "Mobile Phone", telephoneNumber as "Phone", user as "UserID", pwdLastSet as "Password Changed On", signature as "Action", description as Description, dest_nt_host as "Reported By"

The secondary search that I'm thinking about looping in is:
Why it locked out, but may come back with multiple results if they try on different PCs (src):

eventtype="msad-failed-user-logons" EventCode=4625 | table user, src, src_ip, EventCodeDescription, dest
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-27-2016 05:09 AM

You might be able to roll this into one alerting search.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-27-2016 08:36 AM

I agree; you can almost certainly do this with a single search (which could then be split into 2 if you like). Give the details and I am sure we can construct a framework for this.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...