Solved: Pass parent search field value to a subsearch

Dakxh · ‎03-11-2018

Hi,

I want to know if there is a way to pass parent search field value as source/input for sub-search for a different sourcetype and then stats its field.

e.g) we have an index=risk and the field value extracted from there is Image_Path=C:\windows\hosts.exe and one more index=endpoint which shares common field Image_Path and another field MD5 with different time period.

So i need to extract Image_Path value from the index=risk and then it needs to chained to sub-search with index=endpoint + extracted field value | then it needs to be stats Values(Image_Path) by MD5.

Can this be done ?

tiagofbmm · ‎03-11-2018

Yes you can do that, using the return command like this:

index=endpoint [
search index=risk Image_Path=C:\windows\hosts.exe
| dedup Image_Path
| return Image_Path]
| stats values(Image_Path) by MD5

Let me know if it works

View solution in original post

tiagofbmm · ‎03-11-2018

Yes you can do that, using the return command like this:

index=endpoint [
search index=risk Image_Path=C:\windows\hosts.exe
| dedup Image_Path
| return Image_Path]
| stats values(Image_Path) by MD5

Let me know if it works

Dakxh · ‎03-11-2018

Thank you !! i removed "| return Image_Path" - now i got what i need !!!

tiagofbmm · ‎03-11-2018

Great! Please accept the answer for future references to the same issue

Dakxh · ‎03-11-2018

Thanks a lot,

index=risk Image_Path=C:\windows\hosts.exe
| dedup Image_Path
| return Image_Path

"| return Image_path " creating new field "search" with value Image_Path="C:\windows\hosts.exe" but we don't have field search in index=endpoint ? here field name is Image_Path and value is C:\windows\hosts.exe alone any help on this.

Pass parent search field value to a subsearch

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases