Splunk Enterprise Security

In Splunk Enterprise Security, how do you use a subsearch to correlate information?

lth186
New Member

Hello,

I'm trying to correlate events from 2 different source types, and 2 searches for example:

  • sourcetypeA has fields IP_Address, MAC_Address, User
  • sourcetypeB has the following fields: Time, IPAdd, hostname, DomainController. The IP Address field name is different from sourcetype A, ie: IPAdd, there are multiple events with the same pair, and I'm only searching events on a particular DomainController.

I would like to display a table with the following result with one line for each IP Address:

IP_Address, MAC_Address, User, hostname, DomainController

I tried to use a subsearch like this:

sourcetype=sourcetypeA
[search sourcetype=sourcetypeB  DomainController="DC1"
| rename IPAdd as IP_Address | table IP_Address ] 
| table Time, IP_Address, MAC_Address, User, hostname, DomainController 

but it doesn't work. It only displays the values from the main search (SourcetypeA) (the fields from sourcetypeB are empty).

I'm not sure if a subsearch is the best way to do this? Any clue?

Thanks.

0 Karma

woodcock
Esteemed Legend

You are so close; try this:

index=YouShouldAlwaysSpecifyIndex_A AND sourcetype=AndSourcetypeToo_A AND
[ search index=YouShouldAlwaysSpecifyIndex_B AND sourcetype=AndSourcetypeToo_B AND DomainController="DC1"
| rename IPAdd AS IP_Address
| mvexpand IP_Address
| dedup IP_Address
| table IP_Address ]
| table _time, Time, IP_Address, MAC_Address, User, hostname, DomainController
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@lth186,

Give this a try and see if it works,

( sourcetype=sourcetypeA) OR (sourcetype=sourcetypeB  DomainController="DC1")
|eval IP=coalesce(IP_Address,IPAdd )|fields Time, IP, MAC_Address, User, hostname, DomainController 
|stats  values(*) as * by IP
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Okie, tried to simulate your data and I got the results.
Please have a look and let me know the difference in your data/results

sourcetypeA has the following records:

IP_Address="1.1.1.1" , MAC_Address="AB:CD:ED:DF:SS",User="user1"
IP_Address="1.1.1.2" , MAC_Address="AB:CD:ED:DF:2S",User="user2"
IP_Address="1.1.1.3" , MAC_Address="AB:CD:ED:RF:SS",User="user3"

sourcetypeB has the following records:

Time="2019-02-09 01:00:00",IPAdd="1.1.1.1",hostname="PC1",DomainController="DC1"
Time="2019-02-09 01:01:00",IPAdd="1.1.1.1",hostname="PC2",DomainController="DC2" -->1.1.1.1 has both DC1 & DC2
Time="2019-02-09 01:02:00",IPAdd="1.1.1.2",hostname="PC3",DomainController="DC1"
Time="2019-02-09 01:03:00",IPAdd="1.1.1.3",hostname="PC4",DomainController="DC2" -->1.1.1.3 has only DC2

Search"

index=test ( sourcetype=sourcetypeA) OR (sourcetype=sourcetypeB DomainController="DC1")
|eval IP=coalesce(IP_Address,IPAdd )|fields Time, IP, MAC_Address, User, hostname, DomainController 
|stats  values(*) as * by IP

Result
alt text

0 Karma

lth186
New Member

@renjith.nair ,
Unfortunately it doesn't seems to work, the criteria in the second search (DomainController="DC1") doesn't seem to be taken into account, and only the fields from one sourcetype display correctly.
Thanks.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

if you search sourcetype=sourcetypeB DomainController="DC1" separately , do you have results?

0 Karma

lth186
New Member

Yes I have

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

OK,are they multivalue fields - a single row has more than one value?

0 Karma

lth186
New Member

There are multiple rows, but one IP_Address has only one single hostname, for example
IP_Address1, PC1, DC1
IP_Address1, PC1, DC2
IP_Address2, PC2, DC2
IP_Address2, PC2, DC2
IP_Address3, PC3, DC1

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.