Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Conditional for Sub Search

kholleran
Communicator
‎07-30-2010 03:15 PM

Hello,

I have a search that looks for a particular set of data. if the data comes from a particular source address, I would like to run a second sub search that builds a list of logged in users from the Windows Event log.

Basically, I have some routers that generate syslog traffic when connected to. These can only be connected to by a single workstation. If for some reason they are connected via another workstation, we need to know and return this in the search. However, we also want to know when the allowed workstation connects and we want to determine who is logged into that workstation.

So something like:

source="syslog" minutesago=20 | if(SRC=ALLOWED_HOST, SUBSEARCH returns successful logins to ALLOWED_HOST in the past 30 minutes)

This is not entirely accurate as someone could be logged in for a longer period of time but it at least gives us more information.

Can anyone give me tips on how to build such a search?

Thanks.

Kevin

Tags (1)
Reply

Lowell
Super Champion
‎08-02-2010 06:36 PM

Conditional searching isn't really supported.

Splunk doesn't provide any kind of procedural language support within a search language. (Perhaps a database analogy would be helpful: Splunk provides SQL-like search language, but does not provide any kind of PL/SQL or T-SQL language around the searches themselves). Generally, this isn't much of a limitation. If you want to do procedural operations that involve splunk searches, then you can pick you own procedural language and easily execute splunk searches using REST API (HTTP calls) or use the splunk CLI search interface (os system calls) from the language of your choosing.

Related stuff:

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...