- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I use the output of a search as input ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an authentication service.
This service uses EventID 10 which contains the name of the TargetApplication they are authenticating with, as well as a unique ID for the user's session.
The ID can then be correlated with EventID 11 (one Event10 to many Event11 relationship), which provides other details about the user. There are N instances of this event all containing data that needs to be correlated, and they all contain the ID for correlation. EventID 11 does not contain "target application", which has rendered me unable to use any simple methods of correlation.
If I use join, it will only join one of the EventID 11 entries; I need N entries.
If I use transaction, it fails because the EventID 11s do not contain the TargetApplication with which I am performing the initial search to retrieve a list of IDs. Transaction WILL work if I use an ID rather than a TargetApplication, but this is useless as I need more than one result per search.
If I use append/selfjoin, the TargetApplication search will be rendered useless, as when it is performing the append search for Event 11s, it will simply return all the results for every application because EventID 11 does not contain a TargetApplication.
So my question follows.
How do I use the output of a search
// returns list of EventID 10 with ID
TargetApplication=myApp
to power a new search
// returns a list of EventID 11 for the given ID, containing extra data for correlation.
foreach (resultingID in searchResults) {
search [ ID=resultingID EventID=11 ]
}
so I can correlate my data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you really need is just a subsearch - not an append or a join, etc. You need the results of one search (that's the subsearch) to actually drive the other search (called the base search).
Here you go:
EventID=11 [ search EventID=10 TargetApplication=myApp | dedup ID | fields ID ]
The subsearch will return a list of IDs in the form "ID=1001 OR ID=1010 etc." This list will be appended to the base search and the base search will then be executed. Be aware that there are limits to how many subsearch results are allowed.
Here is the documentation on subsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you really need is just a subsearch - not an append or a join, etc. You need the results of one search (that's the subsearch) to actually drive the other search (called the base search).
Here you go:
EventID=11 [ search EventID=10 TargetApplication=myApp | dedup ID | fields ID ]
The subsearch will return a list of IDs in the form "ID=1001 OR ID=1010 etc." This list will be appended to the base search and the base search will then be executed. Be aware that there are limits to how many subsearch results are allowed.
Here is the documentation on subsearch
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
