Splunk Search

An Alternative to Subsearch

dcfrench3
Engager

Hello,

I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the duration of time and logs it's ingesting, but that is not an acceptable solution for this dashboard. Is there a better way to write this code or another way for me to produce the results?

 

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" [search index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16",Source_Network_Address) | top limit=1 Source_Network_Address | dedup Source_Network_Address | rename Source_Network_Address as c_ip | table c_ip]

 

My goal is to take information from first panel in my dashboard and then use that information to do a different search in another panel

 

 

 

Labels (1)
0 Karma
1 Solution

dtburrows3
Builder

Ahh I see,

Note: this response is assuming usage of classic Splunk dashboards (XML)

So for panel_1 (used to gather the top source IP)
You can add a <done> tag and set a token based on the value of Source_Network_Address.
Example of Search_1:

index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
    | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
    | stats
        count as count,
        values(Account_Domain) as Account_Domain,
        values(EventCode) as EventCode,
        values(user) as user
            by Source_Network_Address
    | sort 1 -count



This token can then be referenced in panel_2

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=$ip$

 

In the XML this would look something like this,

.
.
.
        <search>
          <query>
            index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
    | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
    | stats
        count as count,
        values(Account_Domain) as Account_Domain,
        values(EventCode) as EventCode,
        values(user) as user
            by Source_Network_Address
    | sort 1 -count
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="ip">$result.Source_Network_Address$</set>
          </done>
        </search>
.
.
.

 Notice the <done><set token="ip">$result.Source_Network_Address$</set></done> nested in the <search> tags. This is taking the final result's value from the field Source_Network_Address and assigning it to a token named $ip$. This token can then be referenced by panel_2.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @dcfrench3 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dcfrench3 ,

you can put both the searches in the main search and then use stats By the search keys to correlate events, something like this:

(index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD") OR (index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe")
| eval c_ip=coalesce(Source_Network_Address,c_ip)
| stats dc(index) AS index_count values(*) AS * BY c_ip
| where index_count=2

I don't know which fields you need, so I used values(*) AS * but you can use the fields you need.

Ciao.

Giuseppe

0 Karma

dcfrench3
Engager

Hi @gcusello and @dtburrows3 ,

Thanks for getting back to me. Sorry if my question wasn't 100% clear. So my current goal is that I'm attempting to create a dashboard. In one panel I have a base search of:

index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"

This is to grab the reason an account was locked out and would also show the source IP of that information. I essentially need to grab the IP information from this initial search so I can use it in the follow search:

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=<source IP information from initial search>

I tried to use a subsearch, but being the I am pulling from an index with iis logs, it's too large of a search and times out before it can complete.

0 Karma

dtburrows3
Builder

Ahh I see,

Note: this response is assuming usage of classic Splunk dashboards (XML)

So for panel_1 (used to gather the top source IP)
You can add a <done> tag and set a token based on the value of Source_Network_Address.
Example of Search_1:

index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
    | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
    | stats
        count as count,
        values(Account_Domain) as Account_Domain,
        values(EventCode) as EventCode,
        values(user) as user
            by Source_Network_Address
    | sort 1 -count



This token can then be referenced in panel_2

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=$ip$

 

In the XML this would look something like this,

.
.
.
        <search>
          <query>
            index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
    | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
    | stats
        count as count,
        values(Account_Domain) as Account_Domain,
        values(EventCode) as EventCode,
        values(user) as user
            by Source_Network_Address
    | sort 1 -count
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="ip">$result.Source_Network_Address$</set>
          </done>
        </search>
.
.
.

 Notice the <done><set token="ip">$result.Source_Network_Address$</set></done> nested in the <search> tags. This is taking the final result's value from the field Source_Network_Address and assigning it to a token named $ip$. This token can then be referenced by panel_2.

dtburrows3
Builder

I agree with @gcusello here.
I did notice the use of the | top limit=1 Source_Network_Address in the original subsearch which I think implies that you are trying to scope the search down to a single IP address that shows up the most often in the windows_logs index and not in the 192.168.0.0/16 range.

Which I think can be done with a couple of additional lines like this.

(index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD") OR (index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe")
    | eval 
        c_ip=coalesce(Source_Network_Address,c_ip)
    | stats 
        dc(index) AS index_count,
        count(eval('index'=="windows_logs")) as win_log_count,
        values(*) AS * 
            BY c_ip
    | where index_count=2 AND NOT cidrmatch("192.168.0.0/16", c_ip)
    | sort 1 -win_log_count

 

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...