topic How to filter transaction results based on results of a subsearch? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-filter-transaction-results-based-on-results-of-a/m-p/206892#M60277 <P>I have a search which is using transaction to create events for each transaction. I then need to filter those events to show only transaction events containing one of many IP addresses returned from a subsearch.</P> <PRE><CODE>host=ADFS* sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=501 OR EventCode=299 OR EventCode=410) | fields _time, Account_Name, Security_ID, Activity_ID, Instance_ID, X_MS_Forwarded_Client_IP, EventCode | eval Account_Name=mvindex(Account_Name, 1) | rex field=X_MS_Forwarded_Client_IP mode=sed "s/(,\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})//" | transaction Security_ID Activity_ID Instance_ID maxspan=10s startswith=EventCode=4624 endswith=EventCode=410 </CODE></PRE> <P>The results of which will contain the IP address in the X_MS_Forwarded_Client_IP field.</P> <P>This is the subsearch I have to find my target IP addresses which I need to filter on:</P> <PRE><CODE>[index="its-o365-audit" Status=Delivered SenderAddress="&lt;&gt;" FromIP!=129.100.* FromIP!=10.* | top 100 FromIP | search count&gt;5 | table FromIP | rename FromIP as X_MS_Forwarded_Client_IP] </CODE></PRE> <P>Not sure how to filter from here? I can do search X_MS_Forwarded_Client_IP="1.2.3.4" but that only works if I want to hard code a single IP into my search. I want to see all transactions for all IPs returned from the subsearch.</P> <P>Thanks,<BR /> Andrew</P> Tue, 29 Sep 2020 07:43:20 GMT aculveruwo 2020-09-29T07:43:20Z How to filter transaction results based on results of a subsearch? https://community.splunk.com/t5/Splunk-Search/How-to-filter-transaction-results-based-on-results-of-a/m-p/206892#M60277 <P>I have a search which is using transaction to create events for each transaction. I then need to filter those events to show only transaction events containing one of many IP addresses returned from a subsearch.</P> <PRE><CODE>host=ADFS* sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=501 OR EventCode=299 OR EventCode=410) | fields _time, Account_Name, Security_ID, Activity_ID, Instance_ID, X_MS_Forwarded_Client_IP, EventCode | eval Account_Name=mvindex(Account_Name, 1) | rex field=X_MS_Forwarded_Client_IP mode=sed "s/(,\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})//" | transaction Security_ID Activity_ID Instance_ID maxspan=10s startswith=EventCode=4624 endswith=EventCode=410 </CODE></PRE> <P>The results of which will contain the IP address in the X_MS_Forwarded_Client_IP field.</P> <P>This is the subsearch I have to find my target IP addresses which I need to filter on:</P> <PRE><CODE>[index="its-o365-audit" Status=Delivered SenderAddress="&lt;&gt;" FromIP!=129.100.* FromIP!=10.* | top 100 FromIP | search count&gt;5 | table FromIP | rename FromIP as X_MS_Forwarded_Client_IP] </CODE></PRE> <P>Not sure how to filter from here? I can do search X_MS_Forwarded_Client_IP="1.2.3.4" but that only works if I want to hard code a single IP into my search. I want to see all transactions for all IPs returned from the subsearch.</P> <P>Thanks,<BR /> Andrew</P> Tue, 29 Sep 2020 07:43:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-transaction-results-based-on-results-of-a/m-p/206892#M60277 aculveruwo 2020-09-29T07:43:20Z Re: How to filter transaction results based on results of a subsearch? https://community.splunk.com/t5/Splunk-Search/How-to-filter-transaction-results-based-on-results-of-a/m-p/206893#M60278 <P>Figured it out using a join.</P> <PRE><CODE>host=ADFS* sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=501 OR EventCode=299 OR EventCode=410) | fields _time, Account_Name, Security_ID, Activity_ID, Instance_ID, X_MS_Forwarded_Client_IP, EventCode | eval Account_Name=mvindex(Account_Name, 1) | rex field=X_MS_Forwarded_Client_IP mode=sed "s/(,\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})//" | transaction Security_ID Activity_ID Instance_ID maxspan=10s startswith=EventCode=4624 endswith=EventCode=410 | join X_MS_Forwarded_Client_IP [ search index="its-o365-audit" Status=Delivered SenderAddress="&lt;&gt;" FromIP!=129.100.* FromIP!=10.* | top 100 FromIP | search count&gt;5 | table FromIP | rename FromIP as X_MS_Forwarded_Client_IP ] | rename X_MS_Forwarded_Client_IP as IP | stats count by Account_Name, IP </CODE></PRE> Tue, 27 Oct 2015 21:16:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-transaction-results-based-on-results-of-a/m-p/206893#M60278 aculveruwo 2015-10-27T21:16:41Z