Hello I'm trying t run the following search:
Using subsearch I collect from DNS logs the source IP address and the domain they looked up.
Then using the source IP address query the windows security event logs to see user using the IP address at the time.
Create output with the destination, source IP, userdetails
I'm having problems with subsearch and returning values.
How do you return multiple fields and then search further only using one of the fields (src in this case)?
[ search sourcetype="dns" "specific urls" | dedup src | return src query ]
sourcetype="WinSecurityEvent" src
| dedup accountname | stats values(accountname) AS accounts | table query, src, accounts
Or is there better way doing this?
I managed to get this to work but had to do it slightly differently.
As Splunk doesn't seem to support proper control over what to do with results that are returned from sub searches I had to run two separate sub searches using OR between them.
(index=winsec sourcetype="WinSecurityEvent" src [ search sourcetype="dns" "specific urls" | dedup src | return 100 src_ip=src ] ) OR
(index=DNS [ search sourcetype="dns" "specific urls" | dedup src | return 100 query ])
| dedup accountname | stats values(accountname) AS accounts | table query, src_ip, accounts
I just posted an "idea" for the return command to be able to do what you would like it to do.
https://ideas.splunk.com/ideas/EID-I-532
The following is your command, rewritten with a rex command that should create a simple boolean expression from one subsearch.
(index=winsec sourcetype="WinSecurityEvent") OR index=DNS
[ search sourcetype="dns" "specific urls"
| dedup src
| return 100 src_ip=src OR query
| eval search = if(len(search)<3, "NOTHING FOUND")
| rex mode=sed field=search "s/ (OR|AND|NOT)=\"\" / \1 /g" ] )
| dedup accountname
| stats values(accountname) AS accounts
| table query, src_ip, accounts
The string in the eval command should be changed to something that will never be found. Depending on the use, perhaps "index!=*" might be more efficient. Otherwise, if nothing is found then the search will return an empty string that matches all events. This may be desired, in which case the eval statement should be removed.
Hi reinoheinanen,
You can use the fields command in your subsearch to return a specified fields as arguments for the outer search. For example:
... [ search sourcetype="dns" "specific urls" | dedup src | fields src] ...
There are other ways you can change the format of subsearch results to meet your needs. For more information, please refer to documentation: http://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changetheformatofsubsearchresults
Hope this helps. Thanks!
Hunter
Thanks Hunter,
So now I have another problem. The link you provided had details about format command which I was hoping to use to modify returned search result so that it will work with multiple returned fields.
Splunk docs says:
"The format command changes your subsearch results into a single linear search string. This is used when you want to pass the returned values in the returned fields into the primary search."
I have managed to get the query to work if I return a single field. But it doesn't work if I pipe it to format. Seem primary search doesn't work with the returned linear search string?
[ search sourcetype="dns" "specific urls" | dedup src | return 3 src_ip=src | format ]
sourcetype="WinSecurityEvent"
| dedup accountname | stats values(accountname) AS accounts | table query, src_ip, accounts
The formatted search string that is returned contains (this does not work):
( ( "(src_ip=\"10.10.10.1\") OR (src_ip=\"10.10.10.2\") OR (src_ip=\"10.10.10.3\")" ) )
Without format (this works):
(src_ip="10.10.10.1") OR (src_ip="10.10.10.2") OR (src_ip="10.10.10.3")
Is there a bug or am I missing something from my command or I'm supposed to modify linear search strings somehow before they can be used with primary search?
Thanks,