- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Can you match with subsearch using an evaluate...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you match with subsearch using an evaluated field?
I am trying to compare 2 indexes (malicious domains against proxy logs) using an evaluated field. I have a subsearch which pulls from 2 fields (host and uri) and want to match it against a field (host and uri) of the parent search.
index=proxy_logs method=GET [inputlookup malicious_urls.csv | eval full_url=host.uri | table full_url] | eval full_url=host.uri | table full_url
It is not returning any events, but it should as I'm using test data. I've tried putting the eval before the subsearch, which I assumed was the problem like this:
index=proxy_logs method=GET | eval full_url=host.uri | search [inputlookup malicious_urls.csv | eval full_url=host.uri | table full_url] | table full_url
This also doesn't return any results. Any recommendations? I will also take a solution that allows to return both the host and uri individually and compare against host and uri in the proxy logs, but couldn't find that solution either. I can successfully just match on one field, the host, but this is rather noisy as many of the domains are domain shorteners.
Any help is appreciated. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=proxy_logs method=GET [| inputlookup malicious_urls.csv | eval full_url=host.uri |stats values(full_url) as query | format]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this returns a query with each full_url ORed together. But there is still no "full_url" field in the proxy_logs index to compare it to, so it doesn't return any results. Thats why I need to do the eval on the proxy_logs index as well, and compare against that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am sorry for I've mistaken.
my answer is updated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works on returning the string including the full_url, but the base search doesn't have a "full_url" field until it is evaluated, and even then it wont directly search for the subsearch results in that field.
Would need to be something like the below, but it doesn't work:
index=proxy_logs method=GET | eval full_url=host.uri | search [| inputlookup malicious_urls.csv | eval full_url=host.uri |stats values(full_url) as query | format]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://docs.splunk.com/Documentation/Splunk/latest/Search/GetstartedwithSearch
The presence of the field is not relevant for the search.
what's the result you want?
table? events? only match (boolean)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=proxy_logs method=GET full_url=*
Is there the results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not without the eval full_url=host.uri command first as that field doesn't exist directly in the proxy logs index
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
