Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use subsearch results for dbquery

hartfoml
Motivator
‎04-17-2014 02:07 PM

I have a subsearch that finds destination IP's like this

[search sourcetype=ids sid=xxxx | dedup dst | table dst]

I want to use my local vulnerability scanner database to id the system using the query with the "dst" as the "IPAddressStr"

| dbquery "SQL" "SELECT IPAddressStr, NBName FROM Assets where ipAddressStr LIKE '$dst$'"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎04-17-2014 02:44 PM

| dbquery "SQL" "SELECT IPAddressStr, NBName FROM Assets"|where [search sourcetype=ids sid=xxxx | dedup dst | table dst|rename dst as IPAddressStr]

this will work

View solution in original post

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-18-2014 09:09 AM

Set up a DB lookup as per this: http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Setupadatabaselookuptable
Run your search like this:

sourcetype=ids sid=xxxx | dedup dst | table dst | lookup local=1 your_table ipAddressStr as dst OUTPUT NBName

You can define that as an automatic lookup if you're not in a distributed environment.

Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-18-2014 09:51 AM

Thanks Martin,

This is good stuff!!!

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-18-2014 06:56 AM

Martin,

This is a great suggestion and while the answer below works, (thank you very much Linu it works great), it may not be as flexible as your suggestion.

Can you maybe give an example of the syntax as an answer rather than a comment so I can try it, and if it works better, then I can use it as the answer for this question?

Thanks Mike H.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-18-2014 05:51 AM

Have you considered switching to a database-backed lookup? Then you'd run your ids search and the lookup would add the additional fields to that search automagically.

0 Karma
Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎04-17-2014 02:44 PM

| dbquery "SQL" "SELECT IPAddressStr, NBName FROM Assets"|where [search sourcetype=ids sid=xxxx | dedup dst | table dst|rename dst as IPAddressStr]

this will work

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-18-2014 09:54 AM

Martins Answer below is the better long term answer. setting up a lookup will allow me to use the lookup over and over again.

I chose this answer because it was easy to setup rather than modifying and implementing a database lookup.

I will use the answer below just not right now.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-18-2014 06:56 AM

The table is not that big and there is a join as well. the search only takes about 10 seconds Thanks Linu and Martin can you offer an example of the lookup suggestion above

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-18-2014 05:50 AM

Depending on the size of the Assets table that'll be catastrophically slow.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...