Splunk Enterprise Security

Can you match with subsearch using an evaluated field?

tomshew
New Member

I am trying to compare 2 indexes (malicious domains against proxy logs) using an evaluated field. I have a subsearch which pulls from 2 fields (host and uri) and want to match it against a field (host and uri) of the parent search.

index=proxy_logs method=GET [inputlookup malicious_urls.csv | eval full_url=host.uri | table full_url] | eval full_url=host.uri | table full_url

It is not returning any events, but it should as I'm using test data. I've tried putting the eval before the subsearch, which I assumed was the problem like this:

index=proxy_logs method=GET | eval full_url=host.uri | search [inputlookup malicious_urls.csv | eval full_url=host.uri | table full_url] | table full_url

This also doesn't return any results. Any recommendations? I will also take a solution that allows to return both the host and uri individually and compare against host and uri in the proxy logs, but couldn't find that solution either. I can successfully just match on one field, the host, but this is rather noisy as many of the domains are domain shorteners.

Any help is appreciated. Thanks.

0 Karma

to4kawa
Ultra Champion
index=proxy_logs method=GET [| inputlookup malicious_urls.csv | eval full_url=host.uri |stats values(full_url) as query | format]
0 Karma

tomshew
New Member

So this returns a query with each full_url ORed together. But there is still no "full_url" field in the proxy_logs index to compare it to, so it doesn't return any results. Thats why I need to do the eval on the proxy_logs index as well, and compare against that.

0 Karma

to4kawa
Ultra Champion

I am sorry for I've mistaken.
my answer is updated.

0 Karma

tomshew
New Member

This works on returning the string including the full_url, but the base search doesn't have a "full_url" field until it is evaluated, and even then it wont directly search for the subsearch results in that field.

Would need to be something like the below, but it doesn't work:

index=proxy_logs method=GET | eval full_url=host.uri | search [| inputlookup malicious_urls.csv | eval full_url=host.uri |stats values(full_url) as query | format]
0 Karma

to4kawa
Ultra Champion

https://docs.splunk.com/Documentation/Splunk/latest/Search/GetstartedwithSearch

The presence of the field is not relevant for the search.

what's the result you want?
table? events? only match (boolean)?

0 Karma

to4kawa
Ultra Champion
index=proxy_logs method=GET full_url=*

Is there the results?

0 Karma

tomshew
New Member

Not without the eval full_url=host.uri command first as that field doesn't exist directly in the proxy logs index

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...