Sub Searching - tstats

griggsy · ‎12-07-2018

Hello,

I have a query for returning blocked data from our firewall to Google's DNS Servers - I now want to correlate this with data from our proxy to attempt to identify the user logged onto the machine. What I have written is below:

| tstats summariesonly=t count as Count, dc(fw.rule) as dc_rules, values(fw.rule) as rules, max(_time) as LastSeen, values(fw.dest_ip) as Destination FROM datamodel=Firewall.fw WHERE fw.dest_ip = 8.8.4.4 OR fw.dest_ip = 8.8.8.8 AND fw.action = "blocked" BY fw.src_ip, fw.action | rename src_ip as src_host | join srch_host [ search index=proxy | fields src_host,UserName] | table src_host,Destination,action,UserName,Count

The proxy index is quite data heavy so ideally I would like to set the search to have src_host as the src_host identified in the parent query. Could anyone help a.) Streamline the query to improve performance and b.) help me get it working!

Many Thanks

valiquet · ‎12-21-2018

Drop the sub search. Use a lookup running on indexers.

Use fields instead of table.

Sub Searching - tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation

Sub Searching - tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling