topic Re: using the result of a first search in entry of a secon search in Splunk Search

How to use the result of a first search in entry of a second search?

darphboubou — Tue, 23 Aug 2022 13:55:24 GMT

HI,

I would like to get the servers who use only ntlmv1.

So in a first search I using this command

index="windows" EventCode=4624 AND(host="*-toto") Authentication_Package=NTLM Package_Name__NTLM_only_="NTLM V1"

I want to inject the result of this search in a second command line to retrieve the server which using ntlmV2.

At the end of those search i Want to get the server that only uses NTLMV1.

How can I proceed ?

Regards

Re: using the result of a first search in entry of a secon search

richgalloway — Tue, 23 Aug 2022 13:43:50 GMT

It depends on what needs to be passed from the first search to the second, how the passed fields will be used, and what the desired results are.

In general, it's like this

<<second search>> [ <<first search>> ]

The results of the first search are appended to the second search in (foo=bar OR baz=fubar) format.

Tell us more about the problem you're trying to solve and we can be more specific.

Re: using the result of a first search in entry of a secon search

darphboubou — Tue, 23 Aug 2022 14:37:02 GMT

thanks @richgalloway for your answer.

AS you can see in the command line below. Firstable I search for all the computers which using ntlmv1.

index="windows" AND (host="toto") Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1"

Lets say that the result of this research give me those 3 computers name

ComputerA

ComputerB

Computer C

I want to put this result (this 3 computer) in this command line

index="windows" AND (host="toto") Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V2"

to check if these 3 computers are also using ntlmv2. I want to know if one or more of these computers do not show up after the second search. This way, I will know that computerX never used NTLMV2.

At the end of my search, I want to know the names of the computers that only use NTLMV1.

Sorry for my english.

Regards

Re: using the result of a first search in entry of a secon search

richgalloway — Tue, 23 Aug 2022 15:06:41 GMT

That's different. We can just merge the two searches to get a list of computers that only use NTLMV1.

index="windows" AND (host="toto") Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR Package_Name__NTLM_only_="NTLM V2") | stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by ComputerName | where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")

Re: using the result of a first search in entry of a secon search

darphboubou — Wed, 24 Aug 2022 06:03:16 GMT

@richgalloway Perfect 🙂

Re: using the result of a first search in entry of a secon search

darphboubou — Fri, 09 Sep 2022 12:52:06 GMT

HOw can I add the Host in the table given by the request. I'm enable to show host field in the result actually

index="windows" EventCode=4624 AND (host=*) Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR Package_Name__NTLM_only_="NTLM V2") | stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by Workstation_Name | where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1") | join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) earliest=-1d@d latest=@d | table name operatingSystem | rename name as Workstation_Name operatingSystem as os] | table Workstation_Name Package_Name__NTLM_only_ os | where isnotnull(os) | sort Workstation_Name

Re: using the result of a first search in entry of a secon search

richgalloway — Fri, 09 Sep 2022 13:03:20 GMT

Do you want to show the Host field or host field (they're different)? In which index is the Host field stored (host is in all indexes)?

Re: using the result of a first search in entry of a secon search

darphboubou — Fri, 09 Sep 2022 13:41:07 GMT

host field and it's in the windows index

Re: using the result of a first search in entry of a secon search

richgalloway — Fri, 09 Sep 2022 14:18:00 GMT

The challenge with using the host field from the windows index is the stats command does not provide that field. The command would have to be changed to include the field so it can be added to subsequent table commands for display.

index="windows" EventCode=4624 AND (host=*) Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR Package_Name__NTLM_only_="NTLM V2") | stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ ***values(host) as host*** by Workstation_Name | where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1") | join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) earliest=-1d@d latest=@d | table name operatingSystem | rename name as Workstation_Name operatingSystem as os] | table Workstation_Name Package_Name__NTLM_only_ os ***host*** | where isnotnull(os) | sort Workstation_Name

I used *** to indicate new code. Remove them before running the query.