topic Re: Subsearch - how to search based on results of first search (e.g. foreach) in Splunk Enterprise

Subsearch - how to search based on results of first search (e.g. foreach)

mag314 — Tue, 24 Nov 2020 16:11:14 GMT

What is typically the best way to do splunk searches that following logic.

First Search (get list of hosts)
Get Results
Second Search (For each result perform another search, such as find list of vulnerabilities

My example is searching Qualys Vulnerability Data.

Searching HTTP Headers first and including Tag results in search query

index=qualys QID=48118 [search index=qualys "WebLogic RCE - CVE-2020-14882" | dedup IP | table IP] | stats latest(_time) values(DNS) values(RESULTS) by IP

The issue with this search is that it doesn’t include systems with the RCE tag but no QID=48118 (HTTP Headers Data)

Searching TAG first then Join

The issue here is that I only get back one HTTP RESULT, there should be a few for each port that is open.

Any links to the best way to create subsearches from results would be great for learning. Thanks.

Re: Subsearch - how to search based on results of first search (e.g. foreach)

richgalloway — Wed, 25 Nov 2020 22:29:46 GMT

The first search looks like it should work, but with some minor changes. When working with subsearches it helps to run the subsearch by itself with | format added to see what exactly is returned to the main search. Once you've adjusted the result of the subsearch, the rest should be easy.

Try this

index=qualys QID=48118 [search index=qualys "WebLogic RCE - CVE-2020-14882" | return 1000 IP] | stats latest(_time) values(DNS) values(RESULTS) by IP

Keep in mind that everything returned by the subsearch must be a field in the main search. You'll see why when you look at the format output. That result is ANDed to the main search query, which is why systems with an RCE, but no QID don't show up.

Re: Subsearch - how to search based on results of first search (e.g. foreach)

to4kawa — Tue, 24 Nov 2020 21:27:15 GMT

index=qualys QID=48118 OR "WebLogic RCE - CVE-2020-14882" | stats latest(_time) as _time values(DNS) as DNS values(RESULTS) as RESULTS count(eval(searchmatch("WebLogic RCE - CVE-2020-14882"))) as check_count by IP | where check_count > 0 | table _time IP DNS RESULTS

With Splunk, so let's search and select in bulk.

Re: Subsearch - how to search based on results of first search (e.g. foreach)

mag314 — Wed, 25 Nov 2020 21:00:08 GMT

Thanks for the |format insight. That helps. When I use the return IP it only returns one IP not the list of IPs. What I would like to see is that there are 15 systems returned from the subsearch and then for each of those systems if they have any QID=48118s then they show up. If none exist then it is blank. i.e. The RESULTS could return a blank if none are found.

Thank you.

Re: Subsearch - how to search based on results of first search (e.g. foreach)

mag314 — Wed, 25 Nov 2020 21:09:26 GMT

Thanks for your response. Does the searchmatch search across all fields in the record? This returned the 15 systems however all RESULTS from systems with "WebLogic" are returned. How do I only show the RESULTS from QID=48118 and not other QIDs from systems that have "WebLogic".

I want to search all systems with "WebLogic RCE - CVE-2020-14882" and for each of these systems list the QID=48118s if they exist.

Re: Subsearch - how to search based on results of first search (e.g. foreach)

richgalloway — Wed, 25 Nov 2020 22:29:25 GMT

My mistake. The return command defaults to returning a single entry. I've modified my answer.

Re: Subsearch - how to search based on results of first search (e.g. foreach)

to4kawa — Thu, 26 Nov 2020 08:18:29 GMT

index=qualys QID=48118 AND "WebLogic RCE - CVE-2020-14882" | stats latest(_time) as _time values(DNS) as DNS values(RESULTS) as RESULTS by IP | table _time IP DNS RESULTS

In those conditions, this would be fine.

Re: Subsearch - how to search based on results of first search (e.g. foreach)

mag314 — Thu, 26 Nov 2020 15:51:29 GMT

Interesting When I search index=qualys "WebLogic RCE - CVE-2020-14882" | return 1000 IP I get 3 IPs. When I add a dedup IP, index=qualys "WebLogic RCE - CVE-2020-14882" | dedup IP | return 1000 IP, I get 15 IPs. I double checked that I am running them over same 30d time span. Any ideas on why that would be the case?

Assuming I use the dedup, this command works well. However since it is using an AND with the subsearch it only shows the 9 of 15 IPs that have the QID. How would I modify it so it would also show the remaining 6 IPs but with blank RESULTS? This is what I was trying to do with my second search in the original post.

index=qualys QID=48118
[search index=qualys "WebLogic RCE - CVE-2020-14882"
|dedup IP | return 1000 IP]
| stats values(DNS) values(RESULTS) by IP

Thank you so much for your assistance.

Re: Subsearch - how to search based on results of first search (e.g. foreach)

mag314 — Thu, 26 Nov 2020 16:22:49 GMT

This returns 0 results because the QID=48118 AND "WebLogic RCE - CVE-2020-14882" are in separate events. Is there a way to modify your original search to only show QID RESULTS that are 48118? I was trying to do it by filtering out the other QIDs at the beginning but then I lose the "WebLogic" events. Thank you.

Re: Subsearch - how to search based on results of first search (e.g. foreach)

to4kawa — Thu, 26 Nov 2020 21:25:08 GMT

| stats ... count(eval(searchmatch("WebLogic RCE - CVE-2020-14882"))) as check_count count(eval(QID=48118)) as check_QID y IP

| where ... AND check_QID > 0