Splunk Enterprise Security

In Splunk Enterprise Security, how do you use a subsearch to correlate information?

lth186
New Member

Hello,

I'm trying to correlate events from 2 different source types, and 2 searches for example:

  • sourcetypeA has fields IP_Address, MAC_Address, User
  • sourcetypeB has the following fields: Time, IPAdd, hostname, DomainController. The IP Address field name is different from sourcetype A, ie: IPAdd, there are multiple events with the same pair, and I'm only searching events on a particular DomainController.

I would like to display a table with the following result with one line for each IP Address:

IP_Address, MAC_Address, User, hostname, DomainController

I tried to use a subsearch like this:

sourcetype=sourcetypeA
[search sourcetype=sourcetypeB  DomainController="DC1"
| rename IPAdd as IP_Address | table IP_Address ] 
| table Time, IP_Address, MAC_Address, User, hostname, DomainController 

but it doesn't work. It only displays the values from the main search (SourcetypeA) (the fields from sourcetypeB are empty).

I'm not sure if a subsearch is the best way to do this? Any clue?

Thanks.

0 Karma

woodcock
Esteemed Legend

You are so close; try this:

index=YouShouldAlwaysSpecifyIndex_A AND sourcetype=AndSourcetypeToo_A AND
[ search index=YouShouldAlwaysSpecifyIndex_B AND sourcetype=AndSourcetypeToo_B AND DomainController="DC1"
| rename IPAdd AS IP_Address
| mvexpand IP_Address
| dedup IP_Address
| table IP_Address ]
| table _time, Time, IP_Address, MAC_Address, User, hostname, DomainController
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@lth186,

Give this a try and see if it works,

( sourcetype=sourcetypeA) OR (sourcetype=sourcetypeB  DomainController="DC1")
|eval IP=coalesce(IP_Address,IPAdd )|fields Time, IP, MAC_Address, User, hostname, DomainController 
|stats  values(*) as * by IP
Happy Splunking!
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Okie, tried to simulate your data and I got the results.
Please have a look and let me know the difference in your data/results

sourcetypeA has the following records:

IP_Address="1.1.1.1" , MAC_Address="AB:CD:ED:DF:SS",User="user1"
IP_Address="1.1.1.2" , MAC_Address="AB:CD:ED:DF:2S",User="user2"
IP_Address="1.1.1.3" , MAC_Address="AB:CD:ED:RF:SS",User="user3"

sourcetypeB has the following records:

Time="2019-02-09 01:00:00",IPAdd="1.1.1.1",hostname="PC1",DomainController="DC1"
Time="2019-02-09 01:01:00",IPAdd="1.1.1.1",hostname="PC2",DomainController="DC2" -->1.1.1.1 has both DC1 & DC2
Time="2019-02-09 01:02:00",IPAdd="1.1.1.2",hostname="PC3",DomainController="DC1"
Time="2019-02-09 01:03:00",IPAdd="1.1.1.3",hostname="PC4",DomainController="DC2" -->1.1.1.3 has only DC2

Search"

index=test ( sourcetype=sourcetypeA) OR (sourcetype=sourcetypeB DomainController="DC1")
|eval IP=coalesce(IP_Address,IPAdd )|fields Time, IP, MAC_Address, User, hostname, DomainController 
|stats  values(*) as * by IP

Result
alt text

Happy Splunking!
0 Karma

lth186
New Member

@renjith.nair ,
Unfortunately it doesn't seems to work, the criteria in the second search (DomainController="DC1") doesn't seem to be taken into account, and only the fields from one sourcetype display correctly.
Thanks.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

if you search sourcetype=sourcetypeB DomainController="DC1" separately , do you have results?

Happy Splunking!
0 Karma

lth186
New Member

Yes I have

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

OK,are they multivalue fields - a single row has more than one value?

Happy Splunking!
0 Karma

lth186
New Member

There are multiple rows, but one IP_Address has only one single hostname, for example
IP_Address1, PC1, DC1
IP_Address1, PC1, DC2
IP_Address2, PC2, DC2
IP_Address2, PC2, DC2
IP_Address3, PC3, DC1

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...