- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- An Alternative to Subsearch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the duration of time and logs it's ingesting, but that is not an acceptable solution for this dashboard. Is there a better way to write this code or another way for me to produce the results?
index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" [search index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16",Source_Network_Address) | top limit=1 Source_Network_Address | dedup Source_Network_Address | rename Source_Network_Address as c_ip | table c_ip]
My goal is to take information from first panel in my dashboard and then use that information to do a different search in another panel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh I see,
Note: this response is assuming usage of classic Splunk dashboards (XML)
So for panel_1 (used to gather the top source IP)
You can add a <done> tag and set a token based on the value of Source_Network_Address.
Example of Search_1:
index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
| where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
| stats
count as count,
values(Account_Domain) as Account_Domain,
values(EventCode) as EventCode,
values(user) as user
by Source_Network_Address
| sort 1 -count
This token can then be referenced in panel_2
index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=$ip$
In the XML this would look something like this,
.
.
.
<search>
<query>
index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
| where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
| stats
count as count,
values(Account_Domain) as Account_Domain,
values(EventCode) as EventCode,
values(user) as user
by Source_Network_Address
| sort 1 -count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<set token="ip">$result.Source_Network_Address$</set>
</done>
</search>
.
.
. Notice the <done><set token="ip">$result.Source_Network_Address$</set></done> nested in the <search> tags. This is taking the final result's value from the field Source_Network_Address and assigning it to a token named $ip$. This token can then be referenced by panel_2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dcfrench3 ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dcfrench3 ,
you can put both the searches in the main search and then use stats By the search keys to correlate events, something like this:
(index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD") OR (index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe")
| eval c_ip=coalesce(Source_Network_Address,c_ip)
| stats dc(index) AS index_count values(*) AS * BY c_ip
| where index_count=2I don't know which fields you need, so I used values(*) AS * but you can use the fields you need.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello and @dtburrows3 ,
Thanks for getting back to me. Sorry if my question wasn't 100% clear. So my current goal is that I'm attempting to create a dashboard. In one panel I have a base search of:
index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"This is to grab the reason an account was locked out and would also show the source IP of that information. I essentially need to grab the IP information from this initial search so I can use it in the follow search:
index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=<source IP information from initial search>I tried to use a subsearch, but being the I am pulling from an index with iis logs, it's too large of a search and times out before it can complete.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh I see,
Note: this response is assuming usage of classic Splunk dashboards (XML)
So for panel_1 (used to gather the top source IP)
You can add a <done> tag and set a token based on the value of Source_Network_Address.
Example of Search_1:
index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
| where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
| stats
count as count,
values(Account_Domain) as Account_Domain,
values(EventCode) as EventCode,
values(user) as user
by Source_Network_Address
| sort 1 -count
This token can then be referenced in panel_2
index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=$ip$
In the XML this would look something like this,
.
.
.
<search>
<query>
index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
| where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
| stats
count as count,
values(Account_Domain) as Account_Domain,
values(EventCode) as EventCode,
values(user) as user
by Source_Network_Address
| sort 1 -count
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<done>
<set token="ip">$result.Source_Network_Address$</set>
</done>
</search>
.
.
. Notice the <done><set token="ip">$result.Source_Network_Address$</set></done> nested in the <search> tags. This is taking the final result's value from the field Source_Network_Address and assigning it to a token named $ip$. This token can then be referenced by panel_2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with @gcusello here.
I did notice the use of the | top limit=1 Source_Network_Address in the original subsearch which I think implies that you are trying to scope the search down to a single IP address that shows up the most often in the windows_logs index and not in the 192.168.0.0/16 range.
Which I think can be done with a couple of additional lines like this.
(index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD") OR (index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe")
| eval
c_ip=coalesce(Source_Network_Address,c_ip)
| stats
dc(index) AS index_count,
count(eval('index'=="windows_logs")) as win_log_count,
values(*) AS *
BY c_ip
| where index_count=2 AND NOT cidrmatch("192.168.0.0/16", c_ip)
| sort 1 -win_log_count
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
