Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problem: Searching for matching fields within multiple source types

KNichol5hd
Explorer
‎03-11-2013 11:48 AM

I am a new Splunk user who uses Splunk to find infected hosts on our network. I currently run 3 separate searches to pinpoint the users but would like to combine them into one with the goal of ultimately having this e-mailed to myself.

These are the following searches:
sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00

I then review these results to find the src_ip needed to run the subsequent searches.
Using the src_ip, I then run this search:
sourcetype=msdhcp earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 src_ip=###.###.##.###

I then review these results to find the MAC address associated with the first two searches.
Using the MAC address, I then run this search to determine the user associated with the MAC:
sourcetype=campusmgr earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 ##:##:##:##:##:##

Is there a way to combine these searches into one using map search or the eval commands?

Any insight would be appreciated. Thanks

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-11-2013 02:20 PM

You could combine the searches like this:

sourcetype=campusmgr earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 [search sourcetype=msdhcp earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 [search sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 | return 100 src_ip] | return 100 MAC]

return takes the subsearch results, picks out the specified field (src_ip or MAC) and builds an OR'd chain of up to 100 or however many you like matches, which then get applied to the outer search as a filter. In order for this to work nicely you need to extract the MAC as a field in the campusmgr sourcetype... which probably is a good idea on its own.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2013 05:47 PM

Note that you can leave out the time specifiers (earliest/latest) since you're using the same ones in all searches. Just specify the time using the time dropdown or the earliest/latest flags/parameters on the CLI or API, rather than directly in the query, and all searches and subsearches will use that time range.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...