Pull 2 sourcetypes based off the timestamp and IP ...

splunkfuinator · ‎03-22-2016

I have a query that produces a lookup table with three columns: _time, src_IP, and user. _time is currently formatted with strftime(_time, "%F-%H:%M") and labeled "Time1". I would like to make a query that takes the src_IP, looks at the _time, and then searches for 2 sourcetypes, HTTP and HTTPS, with the source (src) IP as the source of the traffic for + and - 5 minutes before and after the _time in the lookup table.

So, if you look at the example in my .png, the new search would take the src_ip of .210 and do another search for HTTP/HTTPS traffic from .210 between 16:15 - 16:25.

tyvm!

martin_mueller · ‎03-22-2016

That's a textbook case for map: http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/map

search producing that table with _time left as epoch | eval start = relative_time(_time, "-5m") | eval end = relative_time(_time, "+5m") | map search="search earliest=$start$ latest=$end$ (sourcetype=HTTP OR sourcetype=HTTPS) src=\"$src_ip$\""

That'll run one search for every result returned by the first search for that src_ip around the timestamp.

Pull 2 sourcetypes based off the timestamp and IP in a lookup table for +/- 5 minutes from the timestamp

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases