Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiple Searches for an Alert

johann2017
Explorer
‎11-25-2019 09:55 AM

Hello. I want to combine more than one search in order to create an alert. For example - I currently have a search(alert) running that looks for when a specific process name is launched. After that search brings backs results, I get an alert. I then have to manually log into Splunk and run other searches based off data in the original process name launch alert to finally get to the data I am looking for.

Is it possible to either somehow combine the other searches to work together or have Splunk automatically launch the other searches after it sees that this process name is launched in the original alert?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-27-2019 10:11 AM

As others have said, you can use a subsearch which probably is the correct way. You can also use map which is the converse of subsearch.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-27-2019 08:03 AM

Hi, @johann2017
Yes, you can.
You can search again from the first search result using a subsearch.
An example is as follows:

index=your_index2 sourcetype=your_sourcetype2 [  search index=your_index sourcetype=your_sourcetype something | return $process_name]

If you can provide specific log samples and sample results, I can write more detailed queries.

(source=WinRegistry (key_path="HKLM\\sam" OR key_path="HKLM\\security" OR registry_key_name=sam OR registry_key_name=security) user=svchost.exe )
OR (EventCode=4672 Account_Name!=dmon40) OR (EventCode=4624 Logon_Type=3 Authentication_Package!=Kerberos)
| stats values(_time) as _time values(_raw) as event values(Process_name) as Process_name dc(source) as source_count by host
| where source_count > 1

you don't need a subsearch.

0 Karma
Reply

johann2017
Explorer
‎11-27-2019 08:48 AM

Ok I will test this out!

0 Karma
Reply

johann2017
Explorer
‎11-27-2019 08:15 AM

Alright! Let me explain the below searches. If search #1 triggers an event, then I would somehow need searches #2 and #3 to automatically kick off immediately. Searches #2 and #3 would need to automatically fill in the host name that was returned from search #1 results.

(1) First search that would need to be ran: source=WinRegistry key_path="HKLM\sam" OR key_path="HKLM\security" OR registry_key_name=sam OR registry_key_name=security user=svchost.exe

(2) Second search: host=$host$ EventCode=4672 Account_Name!=dmon40

(3) Third search: host=$host$ EventCode=4624 Logon_Type=3 Authentication_Package!=Kerberos

0 Karma
Reply

to4kawa
Ultra Champion
‎11-27-2019 08:41 AM

@johann2017
I edited the answer. please confirm.

0 Karma
Reply

johann2017
Explorer
‎11-27-2019 09:18 AM

@to4kawa - I tested this out and it appears to work! However it is very difficult to read. I had table, sort, and rename syntax in before (that I didn't provide in the searches I previously gave you) can this be added to make everything easier to read? See below for my original searches including the table, sort, and rename syntax that was missing....

1: source=WinRegistry key_path="HKLM\sam" OR key_path="HKLM\security" OR registry_key_name=sam OR registry_key_name=security user=svchost.exe | sort -_time | table _time, host, user, process_image, registry_path, registry_key_name, registry_type | rename registry_path AS "Registry Path" registry_key_name AS "Registry Key Name" registry_type AS "Registry Type" host AS "Host" user AS "User" process_image AS "Process Image"

2: host=$host$ EventCode=4672 Account_Name!="dmon40" Account_Name!="dmon45" | sort -_time | table _time, Account_Name, Account_Domain, Security_ID, subject

3: host=$host$ EventCode=4624 Logon_Type=3 Authentication_Package!=Kerberos |sort -_time | table _time, src user host, ,EventCode,Logon_Type,Authentication_Package,Logon_Process,signature | rename src AS "IP Source" host AS "Destination Machine" user AS "Account used in Source"

0 Karma
Reply

dindu
Contributor
‎11-25-2019 10:26 AM

Hi Johann,

You could use join operation to combine two searches.

|first_search
|field1,field2,process_name
|join type=inner process_name
[search second_search
  |field3,field4]
  |table  field1,field2,field3,field4,process_name

Both the searches should contain a common field to join i.e process_name in this case.

Please accept and upvote if this helps

Happy splunking!!

0 Karma
Reply

johann2017
Explorer
‎11-27-2019 07:57 AM

Hello dindu! In my case, I need to run two additional searches after the first search triggers an event for that process. However, the two additional searches are searching different sourcetypes and different fields. The Process_name is not a part of the two other searches... is there still a way to do this?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...