Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass the result of a first command to a second one?

darphboubou
Explorer
‎07-25-2022 04:22 AM

Hi

I want to put the result of this command into a second one:

 

search1.png

 

Actualy I extract the result into a csv file, and put the csv file as a lookup in an other command, like below.

(damtest2.cvs is the result of my first command)

search2.png

 

How Can I proceed to avoir to pass throught a lookup ?

 

Regards

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2022 05:02 AM

Hi @darphboubou,

please next time, copy your search in the Code Sample window so it's easier to answer copying your code.

Anyway, yes, you can put the first search as a subsearch of the second.

You have only to put attention to three points:

  • at the end of the subsearch, you have always to use  a command like table or fields to identify the fields to use as key and only those fields not others,
  • these fields must have the same name of the corrispondent on the main search, if not, use rename in the subsearch to align field names,
  • the results of the subsearch must be less than 50,000, if they are more than 50,000 you have to use another approach.

It's complicate to re write your search, anyway, you should have something like this:

<your_second_search> [ search <your_first_search> | fields Workstation_Name ]
| ...

Ciao.

Giuseppe

0 Karma
Reply

darphboubou
Explorer
‎07-25-2022 06:53 AM

Hi @gcusello ,

 

Hi don't get it but here the codes.

 

REtrieve ntlmv1 request and add the field operating system to the result
index="windows" Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1" 
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| eval AccountD=mvindex(Account_Domain,1)  | eval AccountN=mvindex(Account_Name,1)   | table  AccountD,AccountN,Workstation_Name,Package_Name__NTLM_only_  os  |  rename  Workstation_Name AS "Server", Package_Name__NTLM_only_ AS "NTLM Type" |  where isnotnull(os)| dedup Server | sort Server

 

and second one:

index=windows EventCode=4624   [ | inputlookup damtest2.csv | rename Server AS Workstation_Name | fields Workstation_Name ]
| lookup damtest2.csv Server AS Workstation_Name OUTPUT os 
| table Workstation_Name os Package_Name__NTLM_only_ 
| dedup Workstation_Name Package_Name__NTLM_only_ 
| sort Workstation_Name
| where Package_Name__NTLM_only_="NTLM V2"

 

Thanks for your help 🙂

Regards

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2022 07:47 AM

Hi @darphboubou,

to execute the first search you don't need all the things you have in the lookup generation, so you should try something like this:

index=windows EventCode=4624 [ search index="windows" Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1" | fields Workstation_Name ]
| lookup damtest2.csv Server AS Workstation_Name OUTPUT os 
| table Workstation_Name os Package_Name__NTLM_only_ 
| dedup Workstation_Name Package_Name__NTLM_only_ 
| sort Workstation_Name
| where Package_Name__NTLM_only_="NTLM V2"

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Meet Duke Cyberwalker | A hero’s journey with Splunk

We like to say, the lightsaber is to Luke as Splunk is to Duke. Curious yet? Then read Eric Fusilero’s latest ...

The Future of Splunk Search is Here - See What’s New!

We’re excited to introduce two powerful new search features, now generally available for Splunk Cloud Platform ...

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...