topic How to split up a search in a data model in Splunk Enterprise

How to split up a search in a data model

pitassi17 — Tue, 29 Sep 2020 12:33:45 GMT

I'm trying to take a search and put it into a data model. I really don't understand the documentation online about using root events and transaction events and the other stuff. I've done simple constraints with just one root event and that has been fine. I'm pretty sure I need to start with a root event but, since you can't put pipes in the constraints, I'm having a difficult time getting this search into the model. Here is the search:

(EventCode=4624 OR EventCode=4625) AND Logon_Type=3 Authentication_Package=NTLM NOT Account_Name="ANONYMOUS LOGON" AND Account_Domain="CHI" [ search EventCode=8001 NOT Domain_name_of_user="CHI" | where _time > relative_time(_time,"-5s") | eval Workstation_Name = host | fields + Workstation_Name ]

Any help with this is greatly appreciated!

Re: How to split up a search in a data model

rjthibod — Fri, 27 Jan 2017 15:02:44 GMT

You cannot have sub-searches in the constraint of a search in a datamodel.

You can only put in the first part

(EventCode=4624 OR EventCode=4625) AND Logon_Type=3 Authentication_Package=NTLM NOT Account_Name="ANONYMOUS LOGON" AND Account_Domain="CHI"

You should also restrict your search to specific index(es) or sourcetype(s) of some kind.

Re: How to split up a search in a data model

pitassi17 — Fri, 27 Jan 2017 15:06:24 GMT

So there is no way for me to add a field from a subsearch into my main search in data models? So I can only use a child to narrow down my results more?

Re: How to split up a search in a data model

rjthibod — Tue, 29 Sep 2020 12:37:01 GMT

Not in the search constraint. You can try adding it via a lookup field, but that would require you populating a lookup table with the Workstation_Name field via a savedsearch. That may be potentially risky if the Workstation_Name field value is very time sensitive relative to your first search. Risky being that your datamodel may not be accurate if the savedsearch to populate the lookup does not run reliably.

Re: How to split up a search in a data model

somesoni2 — Fri, 27 Jan 2017 15:55:06 GMT

Didn't get your subsearch-where clause. Won't _time > relative_time(_time,"-5s") always be true?? Or you want to check the _time of base search with subsearch, and that's not possible.

Re: How to split up a search in a data model

pitassi17 — Fri, 27 Jan 2017 15:59:54 GMT

I'm new to this so I wouldn't be surprised if that doesn't do what I think. I'm more interested in the data model aspect of the question. If it helps, pretend the where clause isn't there.