topic Re: An Alternative to Subsearch in Splunk Search

An Alternative to Subsearch

dcfrench3 — Wed, 10 Jan 2024 16:17:46 GMT

Hello,

I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the duration of time and logs it's ingesting, but that is not an acceptable solution for this dashboard. Is there a better way to write this code or another way for me to produce the results?

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" [search index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16",Source_Network_Address) | top limit=1 Source_Network_Address | dedup Source_Network_Address | rename Source_Network_Address as c_ip | table c_ip]

My goal is to take information from first panel in my dashboard and then use that information to do a different search in another panel

Re: An Alternative to Subsearch

gcusello — Wed, 10 Jan 2024 16:39:15 GMT

Hi @dcfrench3 ,

you can put both the searches in the main search and then use stats By the search keys to correlate events, something like this:

(index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD") OR (index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe") | eval c_ip=coalesce(Source_Network_Address,c_ip) | stats dc(index) AS index_count values(*) AS * BY c_ip | where index_count=2

I don't know which fields you need, so I used values(*) AS * but you can use the fields you need.

Ciao.

Giuseppe

Re: An Alternative to Subsearch

dtburrows3 — Wed, 10 Jan 2024 19:33:47 GMT

I agree with @gcusello here.
I did notice the use of the | top limit=1 Source_Network_Address in the original subsearch which I think implies that you are trying to scope the search down to a single IP address that shows up the most often in the windows_logs index and not in the 192.168.0.0/16 range.

Which I think can be done with a couple of additional lines like this.

Re: An Alternative to Subsearch

dcfrench3 — Wed, 10 Jan 2024 21:28:41 GMT

Hi @gcusello and @dtburrows3 ,

Thanks for getting back to me. Sorry if my question wasn't 100% clear. So my current goal is that I'm attempting to create a dashboard. In one panel I have a base search of:

index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"

This is to grab the reason an account was locked out and would also show the source IP of that information. I essentially need to grab the IP information from this initial search so I can use it in the follow search:

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=<source IP information from initial search>

I tried to use a subsearch, but being the I am pulling from an index with iis logs, it's too large of a search and times out before it can complete.

Re: An Alternative to Subsearch

dtburrows3 — Wed, 10 Jan 2024 21:43:28 GMT

Ahh I see,

Note: this response is assuming usage of classic Splunk dashboards (XML)

So for panel_1 (used to gather the top source IP)
You can add a <done> tag and set a token based on the value of Source_Network_Address.
Example of Search_1:

index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address) | stats count as count, values(Account_Domain) as Account_Domain, values(EventCode) as EventCode, values(user) as user by Source_Network_Address | sort 1 -count

This token can then be referenced in panel_2

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=$ip$

In the XML this would look something like this,

. . . <search> <query> index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address) | stats count as count, values(Account_Domain) as Account_Domain, values(EventCode) as EventCode, values(user) as user by Source_Network_Address | sort 1 -count </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <set token="ip">$result.Source_Network_Address$</set> </done> </search> . . .

Notice the <done><set token="ip">$result.Source_Network_Address$</set></done> nested in the <search> tags. This is taking the final result's value from the field Source_Network_Address and assigning it to a token named $ip$. This token can then be referenced by panel_2.

Re: An Alternative to Subsearch

gcusello — Thu, 18 Jan 2024 06:59:57 GMT

Hi @dcfrench3 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉