topic Combinding two searches into one in Splunk Search

Combinding two searches into one

amagson — Fri, 26 Nov 2021 11:32:59 GMT

Hello all,

I do appreciate this question has been asked several times, but I am struggling to understand how to link searches together.

I have search A that highlights what src_ip communicated with dest_ip on a specific port-

(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23")
| table src_ip, dest_ip, dest_port, _time

I then take the results from the src_ip and link it to the second search in a new tab to find the computer hostname from the src_ip via DHCP logs -

index=oswinsec sourcetype=dhcp ip=192.168.*.*
| table ip, dest, date, time

Is it at all possible to combine these so when I do a search on a specific destination IP, the results src_ip is converted into the hostnames found in the DHCP source type?

thank you

Re: Combinding two searches into one

ITWhisperer — Fri, 26 Nov 2021 13:23:03 GMT

(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23") | table src_ip, dest_ip, dest_port, _time | join type=left src_ip [ search index=oswinsec sourcetype=dhcp ip=192.168.*.* | table ip, dest, date, time | rename ip as src_ip]

Re: Combinding two searches into one

rrovers — Fri, 26 Nov 2021 13:33:42 GMT

I don't know if this gives exactly what you mean and I can't test it but maybe you can give it a try:

(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23") | where dest_ip="xxx" | table src_ip, dest_ip, dest_port, _time | join type=outer src_ip [ search index=oswinsec sourcetype=dhcp ip=192.168.*.* | eval src_ip=ip] | table src_ip, dest, date, time hostname

If it doesn't work can you describe what goes wrong?

Re: Combinding two searches into one

amagson — Fri, 26 Nov 2021 15:06:14 GMT

Hi thank you for the post

So the top part

(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23")

after the first AND, the IP here should be dest_ip="192.168.*.* followed by the dest port

what i want, is for the IPs found (src_ip) communicating with the dest_ip to be converted into hotnames from the -

index=oswinsec sourcetype=dhcp

Re: Combinding two searches into one

rrovers — Mon, 29 Nov 2021 07:33:53 GMT

I'm not sure if your case is clear to me.

In general, you have a collection A and you have a collection B. There is at least 1 field in common. You can use that field to relate the collections with a join. To relate the fields they must have the same name. You can use eval for that. Once they are related you can use the fields in collection B as output of your search.

So:

(index=netfw OR index=netproxy) AND dest_ip=("192.168.*.*") AND (dest_port="23")

gives a src_ip as a result.

Your collection B is

index=oswinsec sourcetype=dhcp ip=192.168.*.*

The ip you use here is the src_ip of collection B. You should use

eval src_ip=ip

if you want to use src_ip in the join (because the fields in the join must have the same name).

So maybe something like this:

(index=netfw OR index=netproxy) AND ("192.168.*.*") AND (dest_port="23") | where dest_ip="192.168.*.*" | join type=inner src_ip [ search index=oswinsec sourcetype=dhcp ] | table date time src_ip dest_ip hostname

if in the index=oswinsec the src_ip has a different name you could use

eval src_ip=[different name for src_ip]