Splunk Search

Using search result(s) in a second, separate search

MikeElliott
Communicator

Hi All,

I am looking to create a dashboard to support ongoing investigations. This dashboard will have many panels for logs such as windows event logs, web proxy logs, email gateway logs, endpoint protection logs, etc.

As per the below image, I would like to run an "AD_User_Search" which will return field values for "User_ID" and "Email_Address".

I would like the "WinEventLog_Search" and the "WebProxy_Search" to read the "User_ID" value returned from the "AD_User_Search" and then return relevant data from the windows event logs/web proxy logs. Likewise, the "EmailTraffic_Search" to read the "Email_Address" value returned from the "AD_User_Search" and return relevant data from the email gateway logs.

alt text

Can anyone advise the best way to go about this?

Tags (2)
0 Karma

Sukisen1981
Champion

Hi,

There are several options here :

1)Use token drilldowns. Now your main panel is AD_user_search, that is perhaps just a list of user,email addr,user id. You can add some other stuff to the panel if some other 1-1 user information is present.
2) I would implement a row drill down to 3 other panels event log search, proxy search and email traffic search. I would pass a token value (on row selection) on these 3 child panels which will be populated by clicking on one row of the main 'ad_user_searc'h panel to fetch the user id (for log search, proxy search) and email addr (for email traffic search) respectively.
3) Default value set to ALL for all 3 child panels.
4) token drill down behavior - as soon as a row in the main panel is clicked, the values for user id and email addr is passed to the 3 child panels which will then show the requisite data on the same. The main thing is to pass the selected row token values to the respective panels. http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/DrilldownIntro

0 Karma

anjambha
Communicator

Hi MikeElliott,

You can depend other three panels of dashboard on the "AD_User_Search" panel.

Or

Create drop-down of user_id and email_address from "AD_User_Search".

0 Karma

MikeElliott
Communicator

Hi anjambha,

In your second suggestion, how would we populate the drop downs with the results from the "AD_User_Search"?

An example search string for the "AD_User_Search" would be index=active_directory username=XXX | table username user_id email_address

0 Karma

anjambha
Communicator

So, in this case for proper output you can create three drop-down input ..
1)index=active_directory | dedup username | table username
2) index=active_directory username=$username$ | table user_id
3)index=active_directory |username=$username$ | table email_address

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...