Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Subsearch - how to search based on results of first search (e.g. foreach)

mag314
Explorer
‎11-24-2020 08:08 AM

What is typically the best way to do splunk searches that following logic. 

  1. First Search (get list of hosts)
  2. Get Results
  3. Second Search (For each result perform another search, such as find list of vulnerabilities

 

My example is searching Qualys Vulnerability Data.

Searching HTTP Headers first and including Tag results in search query

 

index=qualys QID=48118
[search index=qualys "WebLogic RCE - CVE-2020-14882"
| dedup IP
| table IP]
| stats latest(_time) values(DNS) values(RESULTS) by IP

 

The issue with this search is that it doesn’t include systems with the RCE tag but no QID=48118 (HTTP Headers Data)


Searching TAG first then Join

 

index=qualys "WebLogic RCE - CVE-2020-14882"
| dedup IP
| table IP, DNS
| join type=left IP
[search index=qualys QID=48118
| dedup IP RESULTS]
| stats values(DNS), values(RESULTS) by IP

 

The issue here is that I only get back one HTTP RESULT, there should be a few for each port that is open.

Any links to the best way to create subsearches from results would be great for learning.  Thanks.

Labels (1)
Labels
Reply

to4kawa
Ultra Champion
‎11-24-2020 01:27 PM 
index=qualys QID=48118 OR "WebLogic RCE - CVE-2020-14882"
| stats latest(_time) as _time values(DNS) as DNS values(RESULTS) as RESULTS count(eval(searchmatch("WebLogic RCE - CVE-2020-14882"))) as check_count by IP
| where check_count > 0
| table _time IP DNS RESULTS

With Splunk, so let's search and select in bulk.

Reply

mag314
Explorer
‎11-25-2020 01:09 PM

Thanks for your response.  Does the searchmatch search across all fields in the record?  This returned the 15 systems however all RESULTS from systems with "WebLogic" are returned.  How do I only show the RESULTS from QID=48118 and not other QIDs from systems that have "WebLogic".

I want to search all systems with "WebLogic RCE - CVE-2020-14882" and for each of these systems list the QID=48118s if they exist.

Reply

to4kawa
Ultra Champion
‎11-26-2020 12:18 AM 
index=qualys QID=48118 AND "WebLogic RCE - CVE-2020-14882"
| stats latest(_time) as _time values(DNS) as DNS values(RESULTS) as RESULTS by IP
| table _time IP DNS RESULTS

In those conditions, this would be fine.

0 Karma
Reply

mag314
Explorer
‎11-26-2020 08:22 AM

This returns 0 results because the QID=48118 AND "WebLogic RCE - CVE-2020-14882" are in separate events.   Is there a way to modify your original search to only show QID RESULTS that are 48118?  I was trying to do it by filtering out the other QIDs at the beginning but then I lose the "WebLogic" events.  Thank you.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-26-2020 01:25 PM

| stats ... count(eval(searchmatch("WebLogic RCE - CVE-2020-14882"))) as check_count count(eval(QID=48118)) as check_QID y IP

| where ... AND check_QID > 0

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 01:19 PM

The first search looks like it should work, but with some minor changes.  When working with subsearches it helps to run the subsearch by itself with | format added to see what exactly is returned to the main search.  Once you've adjusted the result of the subsearch, the rest should be easy.

Try this

 

index=qualys QID=48118
[search index=qualys "WebLogic RCE - CVE-2020-14882"
| return 1000 IP]
| stats latest(_time) values(DNS) values(RESULTS) by IP

 

Keep in mind that everything returned by the subsearch must be a field in the main search.  You'll see why when you look at the format output.  That result is ANDed to the main search query, which is why systems with an RCE, but no QID don't show up.

---
If this reply helps you, Karma would be appreciated.
Reply

mag314
Explorer
‎11-25-2020 01:00 PM

Thanks for the |format insight.  That helps.  When I use the return IP it only returns one IP not the list of IPs.  What I would like to see is that there are 15 systems returned from the subsearch and then for each of those systems if they have any QID=48118s then they show up.  If none exist then it is blank. i.e. The RESULTS could return a blank if none are found.

Thank you.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-25-2020 02:29 PM

My mistake.  The return command defaults to returning a single entry.  I've modified my answer.

---
If this reply helps you, Karma would be appreciated.
Reply

mag314
Explorer
‎11-26-2020 07:51 AM

Interesting When I search index=qualys "WebLogic RCE - CVE-2020-14882" | return 1000 IP   I get 3 IPs.  When I add a dedup IP,   index=qualys "WebLogic RCE - CVE-2020-14882" | dedup IP | return 1000 IP,   I get 15 IPs.   I double checked that I am running them over same 30d time span.  Any ideas on why that would be the case?

 

Assuming I use the dedup, this command  works well.  However since it is using an AND with the subsearch it only shows the 9 of 15 IPs that have the QID.  How would I modify it so it would also show the remaining 6 IPs but with blank RESULTS?  This is what I was trying to do with my second search in the original post.

index=qualys QID=48118
[search index=qualys "WebLogic RCE - CVE-2020-14882"
|dedup IP | return 1000 IP]
| stats values(DNS) values(RESULTS) by IP

 

Thank you so much for your assistance.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...