Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I query an entire list of results from one panel in another panel?

rsh324
Engager
‎02-10-2021 11:59 AM

Hello Splunk Community!

I am very new to Splunk, and SPL. My question is...

If I have a dashboard of two panels (VulnScans, Firewall_Events) Would I be able to accomplish the following query (or anything like it) in the 'Firewall_Events' panel:

index=firewall  src_ip=List_of_IPs_from_table_in_VulScans  AND  src_port=List_of_Ports_from_table_in_VulScans

 

what I would like to achieve is to take both the vulnerable IPs and their associated vulnernable port (IP.252 AND port23, IP.224 AND port25,......) that were output from the query in the VulScans panel, and search them in the firewall events for any traffic to/from that IP AND to/from it's port for further investigation.

Would I be able to AND each row or conjoin the IP and Port somehow to be seen as one item/field (IP1 AND Port1 as Asset1?
Would I be able to OR each set; search for  IP.252 AND Port23  OR  IP.224 AND Port25, ..........and so forth?


Labels (5)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-10-2021 12:27 PM

@rsh324 

With Splunk, you will find the answer is invariably yes, but there are often several ways to solve the problem 🙂

As far as using the results from panel search 1 in panel 2, no, that's not directly possible, although with time and javascript knowledge, it probably can be done.

The way to do this would be typically using a subsearch, i.e.

index=firewall [
 search <here_search_for_src_ip_and_src_port>
 | stats count by src_ip src_port
 | fields - count
]

See https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchTutorial/Useasubsearch

You can see what the subsearch will present to the outer search by running the subsearch on its own and then adding

| format

to the end of the query - you will see how the subsearch results get added to the parent search. Note that subsearches are normally always run before the parent.

To the field combining, look at the eval command - this is the Swiss Army knife of all things Splunk SPL

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

| eval asset=src_ip.":".src_port

will create a new field called asset, which will be, for example,10.10.10.10:8080

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...