Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problem: Searching for matching fields within multiple source types

KNichol5hd
Explorer
‎03-11-2013 11:48 AM

I am a new Splunk user who uses Splunk to find infected hosts on our network. I currently run 3 separate searches to pinpoint the users but would like to combine them into one with the goal of ultimately having this e-mailed to myself.

These are the following searches:
sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00

I then review these results to find the src_ip needed to run the subsequent searches.
Using the src_ip, I then run this search:
sourcetype=msdhcp earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 src_ip=###.###.##.###

I then review these results to find the MAC address associated with the first two searches.
Using the MAC address, I then run this search to determine the user associated with the MAC:
sourcetype=campusmgr earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 ##:##:##:##:##:##

Is there a way to combine these searches into one using map search or the eval commands?

Any insight would be appreciated. Thanks

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-11-2013 02:20 PM

You could combine the searches like this:

sourcetype=campusmgr earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 [search sourcetype=msdhcp earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 [search sourcetype=pan:traffic src_translated_port=##### src_translated_ip=###.###.##.## earliest=11/02/2012:23:00:00 latest=11/03/2012:00:23:00 | return 100 src_ip] | return 100 MAC]

return takes the subsearch results, picks out the specified field (src_ip or MAC) and builds an OR'd chain of up to 100 or however many you like matches, which then get applied to the outer search as a filter. In order for this to work nicely you need to extract the MAC as a field in the campusmgr sourcetype... which probably is a good idea on its own.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2013 05:47 PM

Note that you can leave out the time specifiers (earliest/latest) since you're using the same ones in all searches. Just specify the time using the time dropdown or the earliest/latest flags/parameters on the CLI or API, rather than directly in the query, and all searches and subsearches will use that time range.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...