Assistance with Map using Map to perform a search ...

atljoer · ‎01-14-2021

TLDR: Goal is to perform an initial search which returns table of time user authenticated, then for each row in the table performs a subsequent search to find each time they established a connection to server. The Authentication data and Network data are 100% separate.

My initial search is

index=authentication objectId="thingIcareabout"
| eval earliest1=timestamp/1000
| eval earliestPlus10m=earliest1+600
| table username, earliest1, earliestPlus10m

This successfully runs and returns:

username	earliest1	earliestPlus10m
Joe	1610632992	1610630191
Bob	1610629591	1610633592

Reason why I add earliestPlus10m is so I can run a subsequent search against the network index and limit the amount of results to parse.

If I try the map command
index=authentication objectId="thingIcareabout"
| eval earliest1=timestamp/1000
| eval earliestPlus10m=earliest1+600
| table username, earliest1, earliestPlus10m
| map search="index=network connected $username$ earliest=$earliest1$ latest=$earliestPlus10m$ | stats earliest(_time)"

I get my 2 events, but no results in Statistics from map. I run job inspector say the map returns no results. I literally copy the query from inspector and run it in a new search and it does return exactly what I want. For instance
index=network connected Joe earliest=1610632992 latest=1610632992 | stats earliest(_time) does return correctly.

Confused here what I may be doing wrong...

My ultimate goal is

userName	earliest1	subsearch(time)	calculated field (subsearchtime-earliest10
Joe	1610632992	1610633001	9
Bob	1610629591	1610629598	7

to4kawa · ‎01-15-2021

index=network connected [ search index=authentication objectId="thingIcareabout" 
| eval earliest=timestamp/1000 
| eval latest=earliest1+600 
| table username, earliest, latest
| format "(" "" "" "" ") OR (" ")"]

but your ultimate goal and '| stats earliest(_time) ' are different.

also, Joe is not in username field in index network ?

ref : My japanese Blog(English trasnlated)

atljoer · ‎01-19-2021

Hi thank you to4kawa, maybe I should focus on the goal:

Run 1 query that returns

Userid	Auth Time
Joe	1/19 6:30 AM
Bob	1/19 7:30 AM
Hank	1/19 9:45 AM
Joe	1/19 3:30 PM

For each row in that resultset run a subsequent query against a 'network' index which is basically:

Find the first time 'Joe' shows up in the network log starting at 6:30 AM: 6:31:22
Find the first time 'Bob' shows up in the network log starting at 7:30 AM: 7:35:12
Find the first time 'Hank' shows up in the network log starting at 9:45 AM: 9:45:46
Find the first time 'Joe' shows up in the network log start 3:30 PM: 3:31:05

Then for each row subtract the network log timestamp from the Auth timestamp so each row returns:

Timestamp	User (Session)	TimefromAuthtoNetwork
1/19 6:30 AM	Joe	1:22
1/19 7:30 AM	Bob	5:12
1/19 9:45 AM	Hank	0:46
1/19 3:30 PM	Joe	1:05

Does that make sense?

to4kawa · ‎01-19-2021

index=auth OR index=network

| stats min(eval(if(index=auth,_time,NULL))) as _time range(_time) as TimefromAuthtoNetwork by userid

You may have multiple sessions in a day, etc., but this is the basic idea.

Assistance with Map using Map to perform a search from a table of the original search

subsearch

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!