Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problem: Searching for matching fields within multiple source types

KNichol5hd
Explorer
‎03-11-2013 11:48 AM

I am a new Splunk user who uses Splunk to find infected hosts on our network. I currently run 3 separate searches to pinpoint the users but would like to combine them into one with the goal of ultimately having this e-mailed to myself.

These are the following searches:
sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00

I then review these results to find the src_ip needed to run the subsequent searches.
Using the src_ip, I then run this search:
sourcetype=msdhcp earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 src_ip=###.###.##.###

I then review these results to find the MAC address associated with the first two searches.
Using the MAC address, I then run this search to determine the user associated with the MAC:
sourcetype=campusmgr earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 ##:##:##:##:##:##

Is there a way to combine these searches into one using map search or the eval commands?

Any insight would be appreciated. Thanks

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-11-2013 02:20 PM

You could combine the searches like this:

sourcetype=campusmgr earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 [search sourcetype=msdhcp earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 [search sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 | return 100 src_ip] | return 100 MAC]

return takes the subsearch results, picks out the specified field (src_ip or MAC) and builds an OR'd chain of up to 100 or however many you like matches, which then get applied to the outer search as a filter. In order for this to work nicely you need to extract the MAC as a field in the campusmgr sourcetype... which probably is a good idea on its own.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2013 05:47 PM

Note that you can leave out the time specifiers (earliest/latest) since you're using the same ones in all searches. Just specify the time using the time dropdown or the earliest/latest flags/parameters on the CLI or API, rather than directly in the query, and all searches and subsearches will use that time range.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top