Splunk Enterprise Security

Sub search return value that's not in main search

karthikmalla
Explorer

I have a Splunk sub search similar to

index=index1 type="example" [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields user] | table user, nowtime, maxtime

Now in index2 there are extra fields as nowtime, maxtime and I need to compare this nowtime & maxtime to index1's event time like index1's _time > nowtime and index1's time < maxtime.

For this I have to return values nowtime & maxtime out of the inner search which I am unable to do.

The inner search is based on a common field called user which is both in index1 and index2. How can I check if the user logged in index2 and then should have a login within 30 seconds in index1..?

Thanks

0 Karma

manish_singh_77
Builder

Pls use append, if you want to pass the results of the subsearch to the main search.

index=index1 type="example" | append [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields user] | table user, nowtime, maxtime

let me know if it works..

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @karthikmalla ,

Your sub-search is not returning the fields because you have restricted the inner search fields to fields user
Can you please try below and see if it works for you ? You might change the aggregation function based on your events order

(index=index1 OR index=index2) | stats latest(eval(if(index=="index1",_time,NULL))) as index1_time,latest(eval(if(index=="index2",_time,NULL))) as index2_time by user
|eval diff= index2_time- index1_time|where diff <30
Happy Splunking!

karthikmalla
Explorer

Actually this is deduping the user which shouldn't happen and also not all users time difference is working. If I run over a full day index1 has around 100,000 results and index2 has 100 results and technically every event in index2 should be in index1 as well (but with time difference) however only 1 or 2 events are displaying. Not sure why the other are ignored.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

alright, can you please try this and let's know

 index=index1 type="example" |join user type=outer [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields nowtime,maxtime] | table _time,user, nowtime, maxtime
Happy Splunking!
0 Karma

karthikmalla
Explorer

I tried this before and as I said in my earlier comment index1 has 100,000 results and index2 has 100 results and I need user login in index2 should check with user login in index1 within 30 seconds the way join does is if there is any login in index1 it will still join it. My main blocker is checking 2 events from different index within 30 seconds.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...