Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating Indirect / Cascading Search

dscoland
Path Finder
‎06-22-2014 04:26 PM

Hi Splunk Community,

I have, I would hope to be, a simple question.

Our company has always monitored domain account lockouts, but recently we wanted to take it a bit further, and monitor IIS logs for potential lockouts attempted to authenticate against our Exchange CAS servers.

Therefore, our main real-time search script is as such:

index!=_audit EventCode=4740 | table _time, EventCodeDescription, Account_Name, Security_ID, Account_Domain, Caller_Computer_Name, | eval _time=strftime(_time, "%H:%M:%S %m-%d-%y") | fields - _raw | rename _time AS When?, Message AS Who?_Where?

I had an idea that, instead of going through the hassle of associating fields between WinEventLog:Security and iis to figure out why someone would get locked out on our CAS server, it would be more efficient to generate a report of the past 10minutes (give or take 3minutes haven't decided on that), for sc_win32_status=1326 (bad username or password from iis).

Script below:

sourcetype="iis" sc_win32_status=1326 | eval username=lower(cs_username) | fillnull | stats count by username, cs_uri_stem, cs_User_Agent | where count>1 AND count<6 | sort by count desc

My goal would be to generate this IIS report when the Caller_Computer_Name is equal to the name of one of our CAS servers when the EventCode=4740 alert is thrown.

Is there a way to achieve this?

Thank you in advance,
Daniel

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-24-2014 06:17 AM

You can look at the 'map' command using which you can run a search based on the search result of another search.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

Its should be basically something like this

index!=_audit EventCode=4740 Caller_Computer_Name="YourCASServerName"| stats count | where count > 0 | map [search sourcetype="iis" sc_win32_status=1326 | eval username=lower(cs_username) | fillnull | stats count by username, cs_uri_stem, cs_User_Agent | where count>1 AND count<6 | sort by count desc]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-24-2014 06:17 AM

You can look at the 'map' command using which you can run a search based on the search result of another search.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

Its should be basically something like this

index!=_audit EventCode=4740 Caller_Computer_Name="YourCASServerName"| stats count | where count > 0 | map [search sourcetype="iis" sc_win32_status=1326 | eval username=lower(cs_username) | fillnull | stats count by username, cs_uri_stem, cs_User_Agent | where count>1 AND count<6 | sort by count desc]
Reply
Solved! Jump to solution

dscoland
Path Finder
‎06-24-2014 06:53 AM

It looks like this can't be run as a real-time alert because it will alert every time that there is a match in the subsearch. Is that a bug?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-24-2014 06:45 AM

Its basically for each search result in base search, you can run the subsearch specified in map command (that's why I used stats to limit base search results to 1). You can't map multiple searches directly but there are workarounds.

0 Karma
Reply
Solved! Jump to solution

dscoland
Path Finder
‎06-24-2014 06:33 AM

Wow, dude. I didn't know that the map command was there. Does that mean you can ma multiple searchs, or just one?

0 Karma
Reply
Solved! Jump to solution

dscoland
Path Finder
‎06-24-2014 05:58 AM

There will be multiple CAS servers, but all of them will have a static name.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-24-2014 05:56 AM

Name of CAS servers will be a static value?

0 Karma
Reply
Solved! Jump to solution

dscoland
Path Finder
‎06-24-2014 05:45 AM

Is this possible with using the Python SDK?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...