Splunk Search

Filter search results based on return value of subsearch

burns498
Explorer

Hello Splunk Community,

I am attempting to restrict search results based on the return value of a subsearch. My end goal is to construct a dashboard summary of our fail2ban intrusion prevention framework. In this particular panel I am trying to figure out which hosts have a bad fail2ban config and are NOT banning properly. My idea was to extract a field of hosts that did have a fail2ban Ban action via a subsearch, and then run a search on sshd failed login attempts with the hosts successfully banned removed from the end result. This way I can see which hosts exceeded the failed login attempts in a certain timeframe but did NOT successfully ban. I am able to extract the hosts that banned properly with this:

process=fail2ban.actions ban | dedup host | eval fail2ban_hosts=host | fields fail2ban_hosts

The result is one custom field named fail2ban_hosts that is a copy of the "host" field with duplicates removed. I was hoping I could pass these values to an outer search of sshd login attempts like so:

(process=sshd "failed password") | eval fail2ban_hosts=[search process=fail2ban.actions ban | dedup host | eval fail2ban_hosts=host | fields fail2ban_hosts]

This particular query results in an eval error but it's the sort of approach I am leaning toward. In my attempts I did get the following query to change the host field but then it only shows sshd logins for the hosts that ARE banning properly:

(process=sshd "failed password") [search process=fail2ban.actions ban | dedup host | eval fail2ban_hosts=host | fields host]

Perhaps I am using subsearch incorrectly or my approach in general may need some work. Any help would be greatly appreciated.

0 Karma
1 Solution

Ayn
Legend

If your last search there works as you want except you completely want to negate the results, just throw a NOT in there:

(process=sshd "failed password") NOT [search process=fail2ban.actions ban | dedup host | fields host]

View solution in original post

Ayn
Legend

If your last search there works as you want except you completely want to negate the results, just throw a NOT in there:

(process=sshd "failed password") NOT [search process=fail2ban.actions ban | dedup host | fields host]

burns498
Explorer

Wow. It's embarrassing how much time I spent on that for such a simple solution. Thanks again Ayn!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...