topic Re: subsearch join in Splunk Enterprise Security

subsearch join

jacqu3sy — Tue, 10 Mar 2020 16:49:58 GMT

Anything wrong with this join and subsearch? I know there are events which should match based on the 'cs_host' field. Not sure if the rename is confusing things, or my syntax is off slightly.

index=aaa sourcetype=o365 "*phish URLs*"  
| rename zu as cs_host
| join type=inner cs_host [ | search index=bbb sourcetype="proxy_logs" | fields *] | stats count by cs_host

Appreciate any ideas.

Re: subsearch join

mydog8it — Tue, 10 Mar 2020 17:20:21 GMT

Your syntax looks good to me. However remember the results are subject to limits.conf.spec:
from https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/SearchReference/Join :
Limitations on the subsearch for the join command are specified in the limits.conf.spec file. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.

So, if the matching results you are expecting are outside of the limits, they will not be returned.

Just as a suggestion, based on your search, I think this would give you the same results without the expense of a subsearch:

(index=aaa sourcetype=o365 "*phish URLs*" ) OR (index=bbb sourcetype="proxy_logs" | fields cs_host) |where zu=cs_host | stats count by cs_host

Re: subsearch join

jacqu3sy — Tue, 10 Mar 2020 18:38:12 GMT

Good spot. Sub search limitations. Its caught me out before and will do again I'm sure! If I switch the query around it works fine. Many thanks.

Re: subsearch join

wmyersas — Tue, 10 Mar 2020 21:47:54 GMT

It's legal - but seems to be pointless

You're doing a | join, ostensibly to get more fields, and then immediately throw them all away with a | stats count by