Splunk Search

An Alternative to Subsearch

dcfrench3
Engager

Hello,

I am trying to use a subsearch in order to create a dashboard, but being the subsearches have limitations it is timing out and not producing results. I know the code works when I shorten the duration of time and logs it's ingesting, but that is not an acceptable solution for this dashboard. Is there a better way to write this code or another way for me to produce the results?

 

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" [search index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe" | where NOT cidrmatch("192.168.0.0/16",Source_Network_Address) | top limit=1 Source_Network_Address | dedup Source_Network_Address | rename Source_Network_Address as c_ip | table c_ip]

 

My goal is to take information from first panel in my dashboard and then use that information to do a different search in another panel

 

 

 

Labels (1)
0 Karma
1 Solution

dtburrows3
Builder

Ahh I see,

Note: this response is assuming usage of classic Splunk dashboards (XML)

So for panel_1 (used to gather the top source IP)
You can add a <done> tag and set a token based on the value of Source_Network_Address.
Example of Search_1:

index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
    | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
    | stats
        count as count,
        values(Account_Domain) as Account_Domain,
        values(EventCode) as EventCode,
        values(user) as user
            by Source_Network_Address
    | sort 1 -count



This token can then be referenced in panel_2

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=$ip$

 

In the XML this would look something like this,

.
.
.
        <search>
          <query>
            index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
    | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
    | stats
        count as count,
        values(Account_Domain) as Account_Domain,
        values(EventCode) as EventCode,
        values(user) as user
            by Source_Network_Address
    | sort 1 -count
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="ip">$result.Source_Network_Address$</set>
          </done>
        </search>
.
.
.

 Notice the <done><set token="ip">$result.Source_Network_Address$</set></done> nested in the <search> tags. This is taking the final result's value from the field Source_Network_Address and assigning it to a token named $ip$. This token can then be referenced by panel_2.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @dcfrench3 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dcfrench3 ,

you can put both the searches in the main search and then use stats By the search keys to correlate events, something like this:

(index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD") OR (index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe")
| eval c_ip=coalesce(Source_Network_Address,c_ip)
| stats dc(index) AS index_count values(*) AS * BY c_ip
| where index_count=2

I don't know which fields you need, so I used values(*) AS * but you can use the fields you need.

Ciao.

Giuseppe

0 Karma

dcfrench3
Engager

Hi @gcusello and @dtburrows3 ,

Thanks for getting back to me. Sorry if my question wasn't 100% clear. So my current goal is that I'm attempting to create a dashboard. In one panel I have a base search of:

index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"

This is to grab the reason an account was locked out and would also show the source IP of that information. I essentially need to grab the IP information from this initial search so I can use it in the follow search:

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=<source IP information from initial search>

I tried to use a subsearch, but being the I am pulling from an index with iis logs, it's too large of a search and times out before it can complete.

0 Karma

dtburrows3
Builder

Ahh I see,

Note: this response is assuming usage of classic Splunk dashboards (XML)

So for panel_1 (used to gather the top source IP)
You can add a <done> tag and set a token based on the value of Source_Network_Address.
Example of Search_1:

index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
    | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
    | stats
        count as count,
        values(Account_Domain) as Account_Domain,
        values(EventCode) as EventCode,
        values(user) as user
            by Source_Network_Address
    | sort 1 -count



This token can then be referenced in panel_2

index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD" c_ip=$ip$

 

In the XML this would look something like this,

.
.
.
        <search>
          <query>
            index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe"
    | where NOT cidrmatch("192.168.0.0/16", Source_Network_Address)
    | stats
        count as count,
        values(Account_Domain) as Account_Domain,
        values(EventCode) as EventCode,
        values(user) as user
            by Source_Network_Address
    | sort 1 -count
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <set token="ip">$result.Source_Network_Address$</set>
          </done>
        </search>
.
.
.

 Notice the <done><set token="ip">$result.Source_Network_Address$</set></done> nested in the <search> tags. This is taking the final result's value from the field Source_Network_Address and assigning it to a token named $ip$. This token can then be referenced by panel_2.

dtburrows3
Builder

I agree with @gcusello here.
I did notice the use of the | top limit=1 Source_Network_Address in the original subsearch which I think implies that you are trying to scope the search down to a single IP address that shows up the most often in the windows_logs index and not in the 192.168.0.0/16 range.

Which I think can be done with a couple of additional lines like this.

(index="iis_logs" sourcetype="iis" s_port="443" sc_status=401 cs_method!="HEAD") OR (index="windows_logs" LogName="Security" Account_Domain=EXCH OR Account_Domain="-" EventCode="4625" OR EventCode="4740" user="john@doe.com" OR user="johndoe")
    | eval 
        c_ip=coalesce(Source_Network_Address,c_ip)
    | stats 
        dc(index) AS index_count,
        count(eval('index'=="windows_logs")) as win_log_count,
        values(*) AS * 
            BY c_ip
    | where index_count=2 AND NOT cidrmatch("192.168.0.0/16", c_ip)
    | sort 1 -win_log_count

 

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...