topic Re: Using search result(s) in a second, separate search in Splunk Search

Using search result(s) in a second, separate search

MikeElliott — Tue, 29 Sep 2020 18:28:33 GMT

Hi All,

I am looking to create a dashboard to support ongoing investigations. This dashboard will have many panels for logs such as windows event logs, web proxy logs, email gateway logs, endpoint protection logs, etc.

As per the below image, I would like to run an "AD_User_Search" which will return field values for "User_ID" and "Email_Address".

I would like the "WinEventLog_Search" and the "WebProxy_Search" to read the "User_ID" value returned from the "AD_User_Search" and then return relevant data from the windows event logs/web proxy logs. Likewise, the "EmailTraffic_Search" to read the "Email_Address" value returned from the "AD_User_Search" and return relevant data from the email gateway logs.

Can anyone advise the best way to go about this?

Re: Using search result(s) in a second, separate search

anjambha — Tue, 29 Sep 2020 18:28:36 GMT

Hi MikeElliott,

You can depend other three panels of dashboard on the "AD_User_Search" panel.

Create drop-down of user_id and email_address from "AD_User_Search".

Re: Using search result(s) in a second, separate search

Sukisen1981 — Tue, 29 Sep 2020 18:25:52 GMT

Hi,

There are several options here :

1)Use token drilldowns. Now your main panel is AD_user_search, that is perhaps just a list of user,email addr,user id. You can add some other stuff to the panel if some other 1-1 user information is present.
2) I would implement a row drill down to 3 other panels event log search, proxy search and email traffic search. I would pass a token value (on row selection) on these 3 child panels which will be populated by clicking on one row of the main 'ad_user_searc'h panel to fetch the user id (for log search, proxy search) and email addr (for email traffic search) respectively.
3) Default value set to ALL for all 3 child panels.
4) token drill down behavior - as soon as a row in the main panel is clicked, the values for user id and email addr is passed to the 3 child panels which will then show the requisite data on the same. The main thing is to pass the selected row token values to the respective panels. http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/DrilldownIntro

Re: Using search result(s) in a second, separate search

MikeElliott — Tue, 29 Sep 2020 18:28:38 GMT

Hi anjambha,

In your second suggestion, how would we populate the drop downs with the results from the "AD_User_Search"?

An example search string for the "AD_User_Search" would be index=active_directory username=XXX | table username user_id email_address

Re: Using search result(s) in a second, separate search

anjambha — Tue, 29 Sep 2020 18:28:44 GMT

So, in this case for proper output you can create three drop-down input ..
1)index=active_directory | dedup username | table username
2) index=active_directory username=$username$ | table user_id
3)index=active_directory |username=$username$ | table email_address