https://community.splunk.com/t5/Splunk-Search/finding-result-based-off-2-queries/m-p/82272#M20895 <P>I asked this question last year and the search worked great, but as of version 5, I'm not getting any results anymore. Logs from one source look like this:</P> <P>04/02/13-11:34:57.686794 [**] [1:2008038:8] ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS)) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:51611 -&gt; yyy.yyy.yyy.yyy:80</P> <P>and the logs that I'm interested look like this:</P> <P>Apr 2 11:40:45 wc-b authmgr[1613]: &lt;522008&gt; <NOTI>User Authentication Successful: username=user MAC=xx.xx.xx.xx.xx.xx IP=xxx.xxx.xxx.xxx role=Wireless-Campus-Compliant VLAN=2190 </NOTI></P> <P>The search that I'm interested in pulls the username out of the second query. This search worked great last year: "Trojan" | map search="search "User Authentication" IP=$dest_ip$" | fields username</P> <P>It's not working any more. The dest_ip from the first source should map to the IP address in the second source. I get no results. Any thoughts on what changed or what I could do differently to return the same result?</P> Tue, 02 Apr 2013 17:44:51 GMT gregwilliams 2013-04-02T17:44:51Z https://community.splunk.com/t5/Splunk-Search/finding-result-based-off-2-queries/m-p/82272#M20895 <P>I asked this question last year and the search worked great, but as of version 5, I'm not getting any results anymore. Logs from one source look like this:</P> <P>04/02/13-11:34:57.686794 [**] [1:2008038:8] ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS)) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:51611 -&gt; yyy.yyy.yyy.yyy:80</P> <P>and the logs that I'm interested look like this:</P> <P>Apr 2 11:40:45 wc-b authmgr[1613]: &lt;522008&gt; <NOTI>User Authentication Successful: username=user MAC=xx.xx.xx.xx.xx.xx IP=xxx.xxx.xxx.xxx role=Wireless-Campus-Compliant VLAN=2190 </NOTI></P> <P>The search that I'm interested in pulls the username out of the second query. This search worked great last year: "Trojan" | map search="search "User Authentication" IP=$dest_ip$" | fields username</P> <P>It's not working any more. The dest_ip from the first source should map to the IP address in the second source. I get no results. Any thoughts on what changed or what I could do differently to return the same result?</P> Tue, 02 Apr 2013 17:44:51 GMT https://community.splunk.com/t5/Splunk-Search/finding-result-based-off-2-queries/m-p/82272#M20895 gregwilliams 2013-04-02T17:44:51Z https://community.splunk.com/t5/Splunk-Search/finding-result-based-off-2-queries/m-p/82273#M20896 <P>I'm not sure what may have changed, but here's a different approach. You're basically trying to use the dest_ip field from one search to find events in another search, right? A basic pattern for that looks like this:</P> <PRE><CODE>"User Authentication" [search "Trojan" | dedup dest_ip | table dest_ip] </CODE></PRE> <P>The subsearch will evaluate to something like this:</P> <PRE><CODE>( ( dest_ip = "..." ) OR ( dest_ip = "..." ) ... OR ( dest_ip ="..." ) ) </CODE></PRE> Tue, 02 Apr 2013 18:03:25 GMT https://community.splunk.com/t5/Splunk-Search/finding-result-based-off-2-queries/m-p/82273#M20896 martin_mueller 2013-04-02T18:03:25Z