- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can I use a where statement to show subsearche...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I use a where statement to show subsearches that meet two sets of criteria?
I am trying to only show values within a report if both subsearches have a result. I am trying to show reporting on usage of privileged users, mapped to when they log into a network. Below is the current state of the search, I was trying to incorporate a final where statement like: "where status= " System Account Used", AND status="VDI Session Created" to make sure I don't get just one half of the results if the other does not exist. This doesn't work though. Thoughts on a better method?
|multisearch [search index=* *logged* ComputerName=pci-vdi* user=****|fields + user,name, ComputerName,Msg,app, EventCode,src_ip] [search host=servername123 sourcetype=systemX user=system action=failure| fields + user,host, app, action] |eval computer= coalesce(ComputerName, host), event=coalesce(name, action), Hour=strftime(_time, "%B %d %Y, %H:%M:%S %p"), user=upper(user) |where computer!=" " |eval status = case(app=="systemX"," System Account Used", app=="systemY","VDI Session Created") | dedup Hour | table Hour, user, computer, app,event, status | sort Hour user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
would |set union [search index=* *logged* ComputerName=pci-vdi* user=****|eval status = case(app=="systemX"," System Account Used", app=="systemY","VDI Session Created")|eval Hour=strftime(_time, "%B %d %Y, %H:%M:%S %p")|fields Hour, user,name, ComputerName,app,status] [search host=servername123 sourcetype=systemX user=system action=failure|rename host as ComputerName |rename action as name|eval status = case(app=="systemX"," System Account Used", app=="systemY","VDI Session Created")|eval Hour=strftime(_time, "%B %d %Y, %H:%M:%S %p")| fields Hour, user,name, ComputerName, app,status]
work? you don't have _time in there to do anything with hour, but i've added it.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Set
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks cmerriman, unfortunately that doesn't work for me. My original search works to give me the results I need when both values comes back. Now I need to make sure the report does not populate if one of the two searches comes back with zero findings. So I'd like to only populate the search only if both subsearches have a value. For example
Hour User computer app event status
August 21, 2017 carol123 system123 window server "user logged in" "VDI Session Created"
August 21, 2017 priv123 systemx app server "user logged in" System Account Used"
vs
Hour User computer app event status
August 21, 2017 carol123 system123 window server "user logged in" "VDI Session Created"
I would like to not show the second event only the first options.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
