Dashboards & Visualizations

Pass modified time range to a second search with variables while keeping original search results

xiantros
Engager

Hi All,

Appreciate some suggestions for a problem I'm facing. I have a search which outputs a few results, and what I want to do is, take each results _time and modify the earliest and latest times to be within +/- 1 minute of the events, and pass on a value from a certain field to a second search. 

I have looked at other answers and I can see suggestions for using subsearches, and also the map command. The problem is that though, the events from the original search are not kept this way. With the map command you can pass specific fields from the first search to be kept using further evals, however this gets tedious when you want to keep as many fields as possible.

Example:

First search (checks for 'file create' events in sysmon: 

 

 

index=sysmon EventId=11 file_name=test_file* file_name="test_file.txt"

 

 

Let's say this produces 3 results, with 3 different times and 3 different users.

time 1test_file.txtuser 1
time 2test_file.txtuser 2
time 3test_file.txt user 3

Bear in mind there would be other fields too in the actual events.

Then what I would like to do is, take time 1 for example, extend the time range by 1 minute either side, and use a second search to pass in the file name and user name to see where this file was downloaded from.

Second search:

 

 

index=web file_name=test_file.txt earliest=(time1 - 1min) latest=(time1 + 1min) user=user1

 

 

 

This should give me an additional event with the corresponding file download (with url etc.) , whilst keeping the 3 events from the 1st search.

So when you look at all events, you would have both the file download event from the web index, and the file create event from sysmon, while keeping all the fields and values from both events. 

 

Appreciate any ideas. Thanks!

 

 

 

 

Labels (1)
0 Karma

fredclown
Builder

Question about your "second search". By that do you mean you want to do a drilldown when the  user clicks on one of the result rows to display the information surrounding that event? If  so, what kind of dashboard are you using (simple xml, or dashboard studio)?

0 Karma

xiantros
Engager

Thank you for the reply. No, I'm not talking about dashboards at all. I want to do this within a search itself without having to use dashboards and tokens etc. I guess I'm kind of looking for a similar functionality that you have in dashboards, but within search itself. 

Tags (1)
0 Karma

fredclown
Builder

I don't think there is a way to do that in a single search. After all you are looking for specific events (search one) and then trying to expand around each of those events (searches 2+). There is the map command which technically isn't a single search as it runs once for each event up to the maxsearches values. That's really not a great solution as it could easily end up running hundreds of searches to actually be useful with terrible performance. You could reduce the maxsearches but then you would not get data for each event in the base search. The best way I can think to do it would be a dashboard with a base search and drilldowns that pass values to a second search to get more detailed information.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...