Splunk Search

Comparing matching fields in macro

SplunkNewbie18
New Member

Hi,

I would like to display results if both user and src_user field is match but it shows an "unbalanced parentheses" error.

Main search:
index=windows ...... NOT (same_login_macro)
| table src_user, user

Macro for same_login_macro:
"failed" | where src_user=user

Can someone help - how to return search result when value of both field matched using "where" or other workable method for us in macro?

Tags (3)
0 Karma
1 Solution

vishaltaneja070
Motivator

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

View solution in original post

0 Karma

vishaltaneja070
Motivator

Hello @SplunkNewbie18

Try this: index=windows ...... NOT same_login_macro
| table src_user, user

0 Karma

SplunkNewbie18
New Member

Hmm...nope it doesnt work. Returns me 0 result. 😞 im using the macros as whitelisting concept to exclude events from the results.

0 Karma

harishalipaka
Motivator

can u explain in depth what do u want

*********All the Best***********
0 Karma

vishaltaneja070
Motivator

As per the macro definition, this will be the search
index=windows ...... NOT "failed" | where src_user=user
| table src_user, user

This will be search which is running in background. could you please let me the exact requirement. What is required as the above search is " Searching for events in windows index, then filter the events which is not having "failed" keyword and the searching for events where sec_user = user"

0 Karma

SplunkNewbie18
New Member

I have mutiple macros in the main search but simplyfying it for illustartion purposes. For instance:

Main search
index=windows NOT macro1 NOT macro2

Macro 1
"success" user="admin"

Macro 2
"failed" | where src_user=user

If you suggest to put NOT macro2 it will not work as they will perform the NOT condition and then followed by where -> (NOT "failed") | where src_user=user. Whereas what im looking for is NOT the results found in ("failed" | where src_user=user).

0 Karma

vishaltaneja070
Motivator

I think,you need to try subsearch in this case:
like

 index=windows NOT `macro1` | search NOT [ search index=windows "failed" | where src_user=user]

OR

 index=windows NOT macro1 | search NOT [`macro2` ]

MACRO2:

 search index=windows "failed" | where src_user=user
0 Karma

SplunkNewbie18
New Member

Ohhh great! It workss. Thanks vishal!

0 Karma

vishaltaneja070
Motivator

@SplunkNewbie18

No Problem 🙂
Can you please accept the answer to close the thread.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...