topic Re: return a result from fields based on 2 queries in Splunk Search

return a result from fields based on 2 queries

gregwilliams — Wed, 11 Apr 2012 16:22:15 GMT

I'm trying to return a field based upon a search and within that search extract a variable to search for in another search. For example, I would like to get the username of the person who is authenticated on a computer in which an alert was triggered. The IDS events come in, which display a destination IP address then I want to search for that IP address in the authentication logs, then return the username within the authentication log. Any ideas?

Re: return a result from fields based on 2 queries

tysonstewart — Wed, 11 Apr 2012 16:42:51 GMT

Seems like a subsearch case.

logger=Authentication [search IDS | fields IP]

Or something similar. You can use the format command to determine how you want the subsearch to concatenate its results for the main search.

Update, using a map command:

first search | map search="search \"User Authentication\" IP=$dest_IP$" | fields username

Re: return a result from fields based on 2 queries

gregwilliams — Wed, 11 Apr 2012 16:57:23 GMT

I get a "Encoutered an enexpected error while parsing intentions." error. Here are the 2 logs I want to correlate:

mm/dd-xx:xx:xx.xxxxx ET TROJAN From CnC [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xx.xx.xx.xx:xxxxx -> yy.yy.yy.yy:yyyy

yy.yy.yy.yy is recognized as the dest_ip as a field

and I want to correlate with this log:

User Authentication Successful: username=zzzzzzz IP=yy.yy.yy.yy

I want to correlate dest_ip and IP and return the username

Re: return a result from fields based on 2 queries

tysonstewart — Wed, 11 Apr 2012 17:08:26 GMT

Oh, nice. You might be able to use a transaction to do that, depending on how many other events you expect to have with that IP.

I'm going to guess you'll want to do this for more than one IP address, so it's probably better to go the map route:

| map search="\"User Authentication\" IP=$dest_IP$" | fields username

You can replace that "User Authentication" bit with whatever search will identify those types of events. The magic in map is the $variable$ part.

Let me know if this works and I'll update the answer.

Re: return a result from fields based on 2 queries

gregwilliams — Wed, 11 Apr 2012 17:47:11 GMT

Works with a little tweaking. I couldn't include the quotes into the mapped search, but I substituted that with the event ID of the authenticaiton string. Works great!

"first search string" | map search="search xxxxxx IP=$dest_ip$" | fields username

Re: return a result from fields based on 2 queries

tysonstewart — Wed, 11 Apr 2012 18:14:34 GMT

Yeah, I noticed that the splunkbase comment stripped the backslashes off those inner quotation marks. I'll update the original answer. Glad you got it working. 🙂

Oh, if you schedule that search, you'll need to save the map's search off as its own saved search (see http://splunk-base.splunk.com/answers/27658/map-command-breaks-when-scheduled).