Splunk Search

How to search all events from multiple sourcetypes that have a matching field?

festeves
Engager

Hi,

I'm new to Splunk and I want make a search that finds all events from multiple sourcetypes that have a matching field.

For example:
I have a sourcetypeA (theat_script_match) whose only fields is an IP address and I have sourcetypeB (opnsense) with source and dest. IP fields.

I want to be able to do like a wildcard of sourcetypeA (which is much much smaller only ~500 events) and return all events from sourcetypeB that also contain the matching IP's. I can get the results I want using a giant chain of OR statements ie 1.1.1.1.1 OR 1.1.1.1.0 OR ... However that is not a good long term solution.

Here's what I have so far:

sourcetype=opnsense [search sourcetype=Threat_script_match | return threat_src_IP=src_IP]

Any help would be awesome, thanks.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You were almost there. Try like this .for field based search e.g. (src_IP=1.1.1.1 OR ..) OR (dest_IP=1.1.1.1 OR...)

sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as src_IP ] OR [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as dest_IP ]

OR (for string based search e.g. 1.1.1.1.1 OR 1.1.1.1.0 OR ..., will be slower)

   sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as search ]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

You were almost there. Try like this .for field based search e.g. (src_IP=1.1.1.1 OR ..) OR (dest_IP=1.1.1.1 OR...)

sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as src_IP ] OR [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as dest_IP ]

OR (for string based search e.g. 1.1.1.1.1 OR 1.1.1.1.0 OR ..., will be slower)

   sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as search ]

festeves
Engager

Thanks for the response!
I tried the solutions you offered and made tired my own changes however the search does not return any results.

Sourcetype=Threat_script_match contains events with only one field that is a IP address (Threat_scr_IP)
Sourcetype=opnsense contains events from firewall logs which has many different fields however I am interested in the source IP (src_IP)
What i'm trying to do is search is the intersection of events from both comparing the similar IP fields. Which is to show all the events from opnsense which have matched with the IPs from my threat_script_match. I have been reading about sub-searches and multisearches yet I can't find something similar on splunk docs to what I'm trying accomplish.
Thanks.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This should do what you described above

sourcetype=opnsense [search sourcetype=Threat_script_match | stats count by threat_src_IP | rename threat_src_IP as src_IP ]

The subsearch will generate list of distinct threat_src_IP field values and add it to base search as filter for field src_IP. So the resulting search would be like this. This will work if you've both threat_src_IP and src_IP field extracted.

sourcetype=opnsense ((src_IP="X.X.X.X.) OR (src_IP="X.X.X.X.) OR.....(src_IP="X.X.X.X.))
0 Karma

festeves
Engager

Quick update;
I used this search and it returned events that I'd like to see! Thanks!
I'm having some other issues with the timeframe with my script but that's unrelated to this. I'm 1 step closer to a simple automated report i'm trying to do!
Thank you

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...