Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Modify search term before search

Isaac_Hailperin
Explorer
‎11-24-2016 05:24 AM

I would like to modify my search term before I actually search for it. Background: I want to see how the MX for a certain domain connects to my MX. Say I want to know how (e.g. with TLS) the mail relay for acme.org connects - If I search for acme.org in my maillog, I find nothing, because the MX record for acme.org might be coolmailer.com. Currently do the lookup by hand before I search, but it would to cool to integrate this step into the splunk search. I tried using a scripted lookup, but I fail using a lookup before getting any results from search.

Something along the lines of

sourcetype=whatever  give_mx_record_of("acme.org")  |stats count by encryption_level

where give_mx_record_of("acme.org") would return coolmailer.com, which is what would be searched for, so while I enter acme.org into my (saved)search (because that is what I know), splunk actually searches for

sourcetype=whatever coolmailer.com |stats count by encryption_level

This particular example would probably yield just one line, or no result. I have a python script that does the conversion of acme.org to coolmailer.com, currently in the form of a lookup script (scripted lookup), but if it helps I can transform it to any other format.

Can splunk do such a thing, and if yes, how?

0 Karma
Reply

lguinn2
Legend
‎11-24-2016 09:29 AM

Perhaps a subsearch would work for you.

index=wherever [ search index=mxstuff acme.org | other search stuff | fields mx_name ]

Terrible example, but you haven't given much to go on. The search within the brackets is the subsearch. It executes first, and the results of the subsearch become terms in the base search. You may want to read more in the manual About subsearches

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...