Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Conditional for Sub Search

kholleran
Communicator
‎07-30-2010 03:15 PM

Hello,

I have a search that looks for a particular set of data. if the data comes from a particular source address, I would like to run a second sub search that builds a list of logged in users from the Windows Event log.

Basically, I have some routers that generate syslog traffic when connected to. These can only be connected to by a single workstation. If for some reason they are connected via another workstation, we need to know and return this in the search. However, we also want to know when the allowed workstation connects and we want to determine who is logged into that workstation.

So something like:

source="syslog" minutesago=20 | if(SRC=ALLOWED_HOST, SUBSEARCH returns successful logins to ALLOWED_HOST in the past 30 minutes)

This is not entirely accurate as someone could be logged in for a longer period of time but it at least gives us more information.

Can anyone give me tips on how to build such a search?

Thanks.

Kevin

Tags (1)
Reply

Lowell
Super Champion
‎08-02-2010 06:36 PM

Conditional searching isn't really supported.

Splunk doesn't provide any kind of procedural language support within a search language. (Perhaps a database analogy would be helpful: Splunk provides SQL-like search language, but does not provide any kind of PL/SQL or T-SQL language around the searches themselves). Generally, this isn't much of a limitation. If you want to do procedural operations that involve splunk searches, then you can pick you own procedural language and easily execute splunk searches using REST API (HTTP calls) or use the splunk CLI search interface (os system calls) from the language of your choosing.

Related stuff:

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...