Hi All,
Appreciate some suggestions for a problem I'm facing. I have a search which outputs a few results, and what I want to do is, take each results _time and modify the earliest and latest times to be within +/- 1 minute of the events, and pass on a value from a certain field to a second search.
I have looked at other answers and I can see suggestions for using subsearches, and also the map command. The problem is that though, the events from the original search are not kept this way. With the map command you can pass specific fields from the first search to be kept using further evals, however this gets tedious when you want to keep as many fields as possible.
Example:
First search (checks for 'file create' events in sysmon:
index=sysmon EventId=11 file_name=test_file* file_name="test_file.txt"
Let's say this produces 3 results, with 3 different times and 3 different users.
time 1 | test_file.txt | user 1 |
time 2 | test_file.txt | user 2 |
time 3 | test_file.txt | user 3 |
Bear in mind there would be other fields too in the actual events.
Then what I would like to do is, take time 1 for example, extend the time range by 1 minute either side, and use a second search to pass in the file name and user name to see where this file was downloaded from.
Second search:
index=web file_name=test_file.txt earliest=(time1 - 1min) latest=(time1 + 1min) user=user1
This should give me an additional event with the corresponding file download (with url etc.) , whilst keeping the 3 events from the 1st search.
So when you look at all events, you would have both the file download event from the web index, and the file create event from sysmon, while keeping all the fields and values from both events.
Appreciate any ideas. Thanks!
Question about your "second search". By that do you mean you want to do a drilldown when the user clicks on one of the result rows to display the information surrounding that event? If so, what kind of dashboard are you using (simple xml, or dashboard studio)?
Thank you for the reply. No, I'm not talking about dashboards at all. I want to do this within a search itself without having to use dashboards and tokens etc. I guess I'm kind of looking for a similar functionality that you have in dashboards, but within search itself.
I don't think there is a way to do that in a single search. After all you are looking for specific events (search one) and then trying to expand around each of those events (searches 2+). There is the map command which technically isn't a single search as it runs once for each event up to the maxsearches values. That's really not a great solution as it could easily end up running hundreds of searches to actually be useful with terrible performance. You could reduce the maxsearches but then you would not get data for each event in the base search. The best way I can think to do it would be a dashboard with a base search and drilldowns that pass values to a second search to get more detailed information.