Splunk Search

How do I loop the results into another search and get the desired output?

brywilk_umich
Path Finder

Hello,

I am new to Splunk and trying to come up with a way that would grab the usernames in certain lines (21_ubl) of a log then loop back and search the logs with the multiple usernames with the Auth[IP Address] log lines and get a output that would have the username and the ip address gained from the second search. Im not sure where to begin. Ive included examples of the log lines and the desired output.

LOG LINES

Oct 24 10:07:43 servername message[29979.1382623627]: mscan: 21_ubl: username1 on 127.0.0.1

Oct 24 10:07:43 servername message[29979.1382623627]: mscan: 21_ubl: username2 on 127.0.0.1

Oct 23 14:02:18 servername message[10488.1382551334]: Auth [1.1.1.1] host.net: username1 authenticated via PLAIN+TLs

Oct 23 14:02:18 servername message[10488.1382551334]: Auth [2.2.2.2] host2.net: username1 authenticated via PLAIN+TLs

Oct 23 14:02:18 servername message[10488.1382551334]: Auth [3.3.3.3] host3.net: username2 authenticated via PLAIN+TLs

Desired results would be a report with

Username1 1.1.1.1

         2.2.2.2

Username2 3.3.3.3

Update: I have 2 searches now trying to figure out how to create a subsearch
I need to combine them so that #1's output feeds into the %username% variable
Gives just usrname from UBL users
index=collaboration sourcetype="mail-2" | rex "(?i)1_ubl: (?P\w+)" | stats values(username)
2 list ips by usrname
index=collaboration sourcetype="mail-2" %username% | rex "(?i) Auth [(?P[^]]+)" | stats values(ipAddr)

Tags (2)
0 Karma

kristian_kolb
Ultra Champion

it seems like you have all the relevant information in the 'Auth' events;

...| rex "Auth\]\s(?<ipAddr>[^\]]+)\]\s\S+\s(?<userId>\w+)\s" | stats values(ipAddr) by userId

or if you want to do what you say, then this looks like the classical subsearch use case.

http://docs.splunk.com/Documentation/Splunk/6.0/Search/Aboutsubsearches

/k

kristian_kolb
Ultra Champion

If you looked at the linked docs, it shows an example that may be useful for finding things out in one search and use it in another.

Assuming that you already have extracted (in props.conf) the fields discussed above, the search would be something like;

sourcetype=blah Auth [search sourcetype=blah 21_ubl | dedup userid | fields + userid] | stats values(ipAddr) by userid

The inner search gets executed first, and returns the distinct userids (from 21_ubl log lines), and this gets added to the outer search, so that it now reads;

sourcetype=blah Auth (userid=user1 OR userid=user2)

/k

brywilk_umich
Path Finder

I have the following searches working now I need to combine them so that #1's output feeds into the %username% variable

  1. Gives just usrname from UBL users

index=collaboration sourcetype="mail-2" | rex "(?i)1_ubl: (?P\w+)" | stats values(username)

2 list ips by usrname

index=collaboration sourcetype="mail-2" %username% | rex "(?i) Auth \[(?P[^\]]+)" | stats values(ipAddr)

0 Karma

brywilk_umich
Path Finder

Thanks Ill take a look at the subsearch. We need the first log line to show if they are on the ubl list, as the Auth line will include all users (not just ones on the block list). Do you have any thoughts on how to accomplish that with the subsearch?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...