Splunk Search

Appended search results not showing some fields

Armyeric
Path Finder

I have the following query:
index="IPSType1" | append [ search index="IPSType2"] | rename attacker as src_ip| top src_ip limit=75 | fields src_ip count description risk_warning risk_suspicious

I have verified that I get the combined query total equals what each separate query finds. And I am seeing the breakdown down of IP addresses and count...BUT I am not seeing anything for description, risk_warning, or risk_suspicious.

I have tried adding: "|rename risk_warning as description| rename risk_suspicious as description |" as well, but that does the same thing.

0 Karma
1 Solution

Armyeric
Path Finder

index="CiscoIPS" NOT (some stuff to eliminate internal internal IP ranges) | rename attacker as src_ip | append [ search index="netwitness" NOT (some stuff to eliminate internal IP ranges)| rename risk_warning as description| rename risk_suspicious as description ] | geoip src_ip | stats count by src_ip, description, index, geo_info |sort -count | head 100

View solution in original post

0 Karma

Armyeric
Path Finder

index="CiscoIPS" NOT (some stuff to eliminate internal internal IP ranges) | rename attacker as src_ip | append [ search index="netwitness" NOT (some stuff to eliminate internal IP ranges)| rename risk_warning as description| rename risk_suspicious as description ] | geoip src_ip | stats count by src_ip, description, index, geo_info |sort -count | head 100

0 Karma

Armyeric
Path Finder

So, I used the suggestion to use stats instead of top. I also figured out that I needed to do my renames within each search string as opposed to doing it after the two search strings (like I did in my original question).

I noticed that there were originally 3 people who responded to my question (as indicated via email) but there was only one post when I started initially responding. Not sure why you would delete your post. But anyway, thanks to those that responded!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Use of the top command removes all but the selected field and the count and percent fields. In any case, even if it preserved them, it would be necessary to specify which description you're looking for, as each src_ip could in principle have a different one.

You might rewrite as:

index=type1 OR index=type2 | stats first(description) as description, first(risk_warning) as risk_warning, first(risk_suspicious) as risk_suspicious, count by src_ip | sort - count | head 75
0 Karma

Armyeric
Path Finder

Also, looking at the data that is found, none of the IPS data shows up in the output (even though it is show on the side in the field discovery. So, I would assume that "attacker" must be changed to "src_ip"...which I would assume I would use "rename attacker as src_ip". If that is true, where to place it?

0 Karma

Armyeric
Path Finder

This works to some degree. The issue is that one index is netwitness and it labels the source as "src_ip" and uses "risk_" to indicate the type of attack. The IPS uses "attacker" as the source and uses "description" to indicate the type of attack.

When I run the search as you provided, description shows up as a column header, but there is not data listed. Looking at the fields to the right, it indicates that both indexes are used and that there is data in the description field.

I would think that, even if the attack/src_ip are the same, that both description and risk_ would be shown?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...