I am running 2 searches from 2 different source types.
Search 1 Search for sidewinder traffic that went through attempting to make an FTP connection
[search index=sdwfw001 fac=f_http_proxy url=* request_command=CONNECT |stats count by dest_IP url | rename dest_IP as dest_ip | fields dest_ip ]
Search 2 Search the checkpoint firewall traffic for the previous traffic adding the policy that fired.
index=checkpoint rule=*
My search:
index=checkpoint rule=* [search index=sdwfw001 fac=f_http_proxy url=* request_command=CONNECT |stats count by dest_IP url | rename dest_IP as dest_ip | fields dest_ip ] | stats count by dest_ip policy_name
My search works, but I don't know how to bring the URL from the sub search, because when I do it then searches for it in the 2nd search and URL is not there. In the end I would like a stats count by dest_ip policy_name url
Strictly speaking, no - it is not possible to populate a variable out from the subsearch into the primary search without Splunk interpreting that variable as a search value. But there are some other ways to go about it.
First Idea
Perform a unified search across both sources and preserve only the events that have a shared dest_ip
. Then perform your stats
command across the remaining results. It would look something like this:
(index=checkpoint rule=*) OR (index=sdwfw001 fac=f_http_proxy url=* request_command=CONNECT)
| eventstats dc(index) AS index_count BY dest_ip
| search index_count=2
|stats count by dest_IP policy_name url
The disadvantage here is that you aren't pre-filtering the checkpoint logs, so the search might bog down a bit, depending on the volume of data going into your checkpoint
index.
Second Idea (not recommended)
The only way I know to pass a value as a variable (but not a search term) from one search into another is to use the map
command. However, this command is terribly inefficient, as explained here: https://answers.splunk.com/answers/611129/newbie-map-question.html#answer-612249
But as a teaching exercise, it might be useful to understand how the map
command could be used here:
index=sdwfw001 fac=f_http_proxy url=* request_command=CONNECT
|stats count by dest_IP url
| map maxsearches=0
[ search index=checkpoint rule=* "$dest_ip$"
| eval url="$url$"
| stats count by dest_ip policy_name url ]
| stats sum(count) AS count BY dest_ip policy_name url
Really, really - do not use this search, as it will launch a new search for every dest_ip
found in the first part of the search. This is remarkably inefficient.