All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using results from one searchin a second and combining the results

BryanScovill
Explorer
‎12-14-2018 11:11 AM

Sorry, this is probably easy and I'm missing something, but but I've been beating my head on it so...

I am trying to that the results from one search and take fields from that search and utilize them in a second search combining the results.

Specifically, I am trying to search my firewall logs, take a source_ip and start_time and utilize those in a "data enrichment" type search against our DHCP logs to find mac & hostname. I've had some success with sub-searches, but that doesn't seem like the right mech. It seems like either a macro or a lookup but I'm dead ending on both. My latest attempt was with map...

index=firewall | head 1 | map search="search index=dhcp DHCPACK dest_ip=$src_ip$ timeformat="%m-%d-%Y %h:%m:%s" latest=$start_time$ | | head 1 | fields dest_mac | fields - _time "

... which seems to eliminate all of my firewall results, leaving me with dhcp results.

Any suggestions/pointers?

Thanks

Tags (1)
0 Karma
Reply

Vijeta
Influencer
‎12-14-2018 02:47 PM

I am not sure if I understood correctly, but try the below search to get you latest destip based on srcip

 index=firewall | rename src_ip as ip|join ip [search index=dhcp DHCPACK |stats latest(*) as *, latest(_time) as _time by dest_ip| rename dest_ip as ip]| fields dest_mac <your other field names>
0 Karma
Reply

BryanScovill
Explorer
‎12-15-2018 12:36 PM

Well, I was trying to avoid join because it was so intensely slow over a log the size of a firewall log. I was trying to go down the route of a macro that I could feed ip & time and get a mac returned as a new field.

I have been playing with the search above and a couple of thoughts. First is I am unclear why we'd go the stats realm. Is that returning the last instance of dhcp records with the dest_ip fed? Which leads me to the next thing... I need to go off of the start_time from the firewall log. The concern being dhcp logs for the same dest_ip after the start_time may reflect the dhcp address having been reassigned.

Re: sample data...
from the firewall. source_ip and start_time are bolded

Dec 15 15:28:38 firewall-host 1,2018/12/15 15:28:38,,TRAFFIC,end,0,,10.21.94.190,192.229.210.163,132.177.238.65,192.229.210.163,rule 230,rmw1031,,incomplete,,Inside,Inet,ethernet1/19.384,ethernet1/20.100,,2018/12/15 15:28:38,,,51132,443,29213,443,,tcp,allow,286,146,140,4,2018/12/15 15:28:27,,any,0,,,10.0.0.0-10.255.255.255,United States,0,2,2,tcp-rst-from-client,0,0,0,0,,firewall-host,from-policy,,,0,,0,,N/A

From the DHCP log. the dest_ip, dest_mac, and hostname are bolded. I've been using _time from this log.

Dec 15 15:12:42 132.177.128.99 dhcpd[17818]: DHCPACK on 10.21.94.190 to c4:98:80:ee:45:64 (ConstanesiPhone) via eth3 relay eth3 lease-duration 7200 (RENEW) uid 01:c4:98:80:ee:45:64

My desired result would simply be to maintain the firewall log and append the dest_mac and hostname fields as new fields.

But I should mention one of my struggles has been making sure the DHCP log entry is the latest entry before the firewall log's "start_time" field. I know that is one of the trippy bits.

0 Karma
Reply

BryanScovill
Explorer
‎12-14-2018 01:12 PM

firewall does, but the DHCP logs only have an ip field (dest_ip) and the standard _time field. The _time field certainly wouldn't match the firewall's start_time but what I am shooting for is the the last DHCP log entry matching that IP before the start_time.

0 Karma
Reply

Vijeta
Influencer
‎12-14-2018 12:31 PM

Do both your DHCP and firewall logs have source_ip and start_time fields ?

0 Karma
Reply

nplamondon
Communicator
‎12-14-2018 01:45 PM

Sample data and desired results would help here.

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...