How to create search to combine multiple “sourcety...

shrugshoulders1 · ‎02-06-2023

In my query. I am trying to combine the output from one index and sourcetype with the output of another index and sourcetype. I have looked at the documentation and came across subsearches and have attempted to use the search command but not getting any results. Leaving me to believe I definitely am doing it wrong. Please see my example below.

index=A sourcetype=cat ProjectOwner="person" dest_owner="person" [search sourcetype=FW destp=1111 action=denied | table host] | srcdns srcip

yeahnah · ‎02-06-2023

Hi @shrugshoulders1

To pull different source events is as simple as using an OR statement, like below

(index=A sourcetype=cat ProjectOwner="person" dest_owner="person")
OR
(index=B sourcetype=FW destp=1111 action=denied)
| table host srcdns srcip
| ...

The harder part can be combining the events together afterwards, as that would require a common key value, or correlation id, in each event to tie them together with. If they have this then something like the stats command is brilliant, e.g.

... your search ...
| stats values(*) AS * BY ...common key value to combine events... 
| ...

Hope this helps

shrugshoulders1 · ‎02-07-2023

I really appreciate your help.

I thought I would be able to accomplish this using a subsearch, where I search for denied traffic to port 22 as an example using the source ip address as an output commonality for the main search to match those src ip addresses to machines that are owned by one user. I may have misread the documentation.

Learning is occurring.

richgalloway · ‎02-06-2023

What do you mean by "combine"? What is the desired output to look like?

Use a subsearch when you want to incorporate the results of one search into the query of another search. In the example, index A will be searched for all hosts reporting sourcetype FW and destp 1111 with action=denied.

To simply include the events from two indexes and sourcetypes, just put OR between them.

(index=A sourcetype=cat ProjectOwner="person" dest_owner="person") OR (index=baz sourcetype=FW destp=1111 action=denied)

This merely dumps the events found. It makes no relationship between them. If there is to be any then please elaborate.

---
If this reply helps you, Karma would be appreciated.

shrugshoulders1 · ‎02-07-2023

Thank you for your help. I will elaborate. Owners of servers with host names that are assigned to various owners are in one index and sourcetype. FW traffic is in another. I want to create an inventory list of servers belonging to one specific user. This information would be in its own index and sourcetype and find all denied traffic to a specific port which would be in the FW index and source type.

I thought I would be able to accomplish this using a subsearch, where I search for denied traffic to port 22 as an example using the source ip address as an output commonality for the main search to match those src ip addresses to machines that are owned by one user. I may have misread the documentation.

I hope that I have helped you better help me with my reply.

How to create search to combine multiple “sourcetypes”?

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?