Splunk Search

Problems with subsearch and returning multiple fields

reinoheinanen
Explorer

Hello I'm trying t run the following search:

Using subsearch I collect from DNS logs the source IP address and the domain they looked up.
Then using the source IP address query the windows security event logs to see user using the IP address at the time.
Create output with the destination, source IP, userdetails

I'm having problems with subsearch and returning values.
How do you return multiple fields and then search further only using one of the fields (src in this case)?

[ search sourcetype="dns" "specific urls" | dedup src | return src query ]
sourcetype="WinSecurityEvent" src
| dedup accountname | stats values(accountname) AS accounts | table query, src, accounts

Or is there better way doing this?

Tags (1)
0 Karma

reinoheinanen
Explorer

I managed to get this to work but had to do it slightly differently.

As Splunk doesn't seem to support proper control over what to do with results that are returned from sub searches I had to run two separate sub searches using OR between them.

(index=winsec sourcetype="WinSecurityEvent" src [ search sourcetype="dns" "specific urls" | dedup src | return 100 src_ip=src ] ) OR
(index=DNS [ search sourcetype="dns" "specific urls" | dedup src | return 100 query ])
| dedup accountname | stats values(accountname) AS accounts | table query, src_ip, accounts

0 Karma

malvidin
Communicator

I just posted an "idea" for the return command to be able to do what you would like it to do.

https://ideas.splunk.com/ideas/EID-I-532

 The following is your command, rewritten with a rex command that should create a simple boolean expression from one subsearch.

 

(index=winsec sourcetype="WinSecurityEvent") OR index=DNS 
    [ search sourcetype="dns" "specific urls" 
    | dedup src 
    | return 100 src_ip=src OR query
    | eval search = if(len(search)<3, "NOTHING FOUND")
    | rex mode=sed field=search "s/ (OR|AND|NOT)=\"\" / \1 /g" ] ) 
| dedup accountname 
| stats values(accountname) AS accounts 
| table query, src_ip, accounts

 

 

The string in the eval command should be changed to something that will never be found.  Depending on the use, perhaps "index!=*" might be more efficient.  Otherwise, if nothing is found then the search will return an empty string that matches all events. This may be desired, in which case the eval statement should be removed.

 

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi reinoheinanen,

You can use the fields command in your subsearch to return a specified fields as arguments for the outer search. For example:

... [ search sourcetype="dns" "specific urls" | dedup src | fields src] ... 

There are other ways you can change the format of subsearch results to meet your needs. For more information, please refer to documentation: http://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changetheformatofsubsearchresults

Hope this helps. Thanks!
Hunter

0 Karma

reinoheinanen
Explorer

Thanks Hunter,

So now I have another problem. The link you provided had details about format command which I was hoping to use to modify returned search result so that it will work with multiple returned fields.

Splunk docs says:
"The format command changes your subsearch results into a single linear search string. This is used when you want to pass the returned values in the returned fields into the primary search."

I have managed to get the query to work if I return a single field. But it doesn't work if I pipe it to format. Seem primary search doesn't work with the returned linear search string?

[ search sourcetype="dns" "specific urls" | dedup src | return 3 src_ip=src | format ]
sourcetype="WinSecurityEvent"
| dedup accountname | stats values(accountname) AS accounts | table query, src_ip, accounts

The formatted search string that is returned contains (this does not work):
( ( "(src_ip=\"10.10.10.1\") OR (src_ip=\"10.10.10.2\") OR (src_ip=\"10.10.10.3\")" ) )

Without format (this works):
(src_ip="10.10.10.1") OR (src_ip="10.10.10.2") OR (src_ip="10.10.10.3")

Is there a bug or am I missing something from my command or I'm supposed to modify linear search strings somehow before they can be used with primary search?

Thanks,

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...