Splunk Search

Combined Linux Searches

gm3ndez
New Member

Hello ,

Im trying to run a audit search for high priority linux servers - should have the following in the search

sudo login, failed login, login/logoff and account change and deletion.

i was able to combine to searches with the "OR" command:

index="ssh_login_index" sourcetype="linux_secure" (process=sshd session opened OR closed) host="linux server"

but still cant combine the rest of the searches to the search above. Thanks in advance!

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gm3ndez,

I had to do something like this and I solved it with eventtypes and tags:

I created many eventtypes containing each one a single search, e.g.:

[Linux_Audit]
search = index=os sourcetype=linux_secure NOT disconnect

[Linux_Logfail]
search = eventtype=Linux_Audit "failed password"

[Linux_Login]
search = eventtype=Linux_Audit "accepted password"

[Linux_Logout]
search = eventtype=Linux_Audit "session closed"

associating to each one dedicated tags (e.g. LINUX for each and then LOGIN for Linux_Login, LOGFAIL for Linux_Logfail, and so on)

in this way in the search I can use only

tag=LINUX

having all the searches in eventtypes in a little search.

This way is a little more complicated, but more efficient and clear to maintain and use.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...