Hi all , i'm working on this query:
sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" | rename Source_Network_Address as IP | rename IP_Source as IP [search eventtype="searchIPS" Direction="Inbound" Severity="Medium" DestinationIP=* | fields DestinationIP | rename DestinationIP as IP]
but i get this error:
In rename: Usage: rename [old_name AS/TO/-> new_name]+
i need to search from sourcetype=webseal and sourcetype=wmi where the source ip are the same in the subsearch. how can i do this? thanks
You have two problems with this search. First, the subsearch should be the argument to a | search
command, not to the rename command. Second, the second rename will clobber the first. You could rewrite your search as:
sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"
| eval IP = if(sourcetype="webseal_access", Source_Network_Address, IP_Source)
| search [search eventtype="searchIPS" Direction="Inbound" Severity="Medium" DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP]
However, this search is going to retrieve every event from webseal_access and wmi:wineventlog:security, which may be inefficient.
I'd probably recommend setting up field aliases (http://www.splunk.com/base/Documentation/latest/Knowledge/Addaliasestofields) for the three sourcetypes, creating an implicit IP field. Then you could just search:
sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" [search eventtype="searchIPS" Direction="Inbound" Severity="Medium" DestinationIP=* | dedup IP | fields IP]
Note that by default, a subsearch will yield 100 rows, so only 100 different IPs here. The easiest way to get around this is with stats (assuming you have field aliasing in place):
sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" OR (eventtype="searchIPS" Direction="Inbound" Severity="Medium" IP=*)
| stats values(eventtype) as eventtype ... by IP
| search eventtype="searchIPS"
You have two problems with this search. First, the subsearch should be the argument to a | search
command, not to the rename command. Second, the second rename will clobber the first. You could rewrite your search as:
sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"
| eval IP = if(sourcetype="webseal_access", Source_Network_Address, IP_Source)
| search [search eventtype="searchIPS" Direction="Inbound" Severity="Medium" DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP]
However, this search is going to retrieve every event from webseal_access and wmi:wineventlog:security, which may be inefficient.
I'd probably recommend setting up field aliases (http://www.splunk.com/base/Documentation/latest/Knowledge/Addaliasestofields) for the three sourcetypes, creating an implicit IP field. Then you could just search:
sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" [search eventtype="searchIPS" Direction="Inbound" Severity="Medium" DestinationIP=* | dedup IP | fields IP]
Note that by default, a subsearch will yield 100 rows, so only 100 different IPs here. The easiest way to get around this is with stats (assuming you have field aliasing in place):
sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" OR (eventtype="searchIPS" Direction="Inbound" Severity="Medium" IP=*)
| stats values(eventtype) as eventtype ... by IP
| search eventtype="searchIPS"