- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subsearch field groupings
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a search (see below) that Im having a little trouble with. With it it returns the fields correctly, but its just a lot of ORs (like src_ip=1 OR src_ip=2 OR src_port=1 OR src_port=2). What Im trying to figure out is, how would I write the query so that the inner search would return the fields in groups to the outer search like (src_ip=1 AND src_port=1 AND dst_ip=1 AND dst_port=1). Any thoughts? THANKS!
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| fields src_ip src_port dst_ip dst_port]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| fields src_ip src_port dst_ip dst_port | format]
OR
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| stats count by src_ip src_port dst_ip dst_port | fields - count | format]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The question is a little convoluted. Could you clarify if you are looking to eval between the two searches or search the "| fields..." for the entire search string? If it's the latter you can just pull it out of the subsearch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can easily test what your subsearch is doing by using the format command.
For example, in my case I'm simply looking for events that have all the four fields below and then returning the first two I find. Finally pipe it to format to see what would happen if you were using this in a subsearch:
index=* src_ip=* src_port=* dest_ip=* dest_port=*
| head 2
| fields src_ip src_port dest_ip dest_port
| format
Output:
( ( dest_ip="10.150.2.155" AND dest_port="53" AND src_ip="10.152.205.27" AND src_port="12345" ) OR ( dest_ip="10.150.2.155" AND dest_port="53" AND src_ip="10.152.205.27" AND src_port="12345" ) )
Which basically means: "Fields from event 1 joined with AND" OR "Fields from event 2 joined with AND"
Let me know if that helps.
Thanks,
J
EDIT: didn't notice the answer from somesoni above but that should give you what you are looking for
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| fields src_ip src_port dst_ip dst_port | format]
OR
index=firewall sourcetype=juniper_vgw action=allow ip_proto!=17 rule_id!=263
[search index=firewall sourcetype=vmware:dfw rule_id=6710 NOT UDP
| stats count by src_ip src_port dst_ip dst_port | fields - count | format]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that worked, thanks a bunch!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
