I have a search that looks for a particular set of data. if the data comes from a particular source address, I would like to run a second sub search that builds a list of logged in users from the Windows Event log.
Basically, I have some routers that generate syslog traffic when connected to. These can only be connected to by a single workstation. If for some reason they are connected via another workstation, we need to know and return this in the search. However, we also want to know when the allowed workstation connects and we want to determine who is logged into that workstation.
So something like:
source="syslog" minutesago=20 | if(SRC=ALLOWED_HOST, SUBSEARCH returns successful logins to ALLOWED_HOST in the past 30 minutes)
This is not entirely accurate as someone could be logged in for a longer period of time but it at least gives us more information.
Can anyone give me tips on how to build such a search?
Splunk doesn't provide any kind of procedural language support within a search language. (Perhaps a database analogy would be helpful: Splunk provides SQL-like search language, but does not provide any kind of PL/SQL or T-SQL language around the searches themselves). Generally, this isn't much of a limitation. If you want to do procedural operations that involve splunk searches, then you can pick you own procedural language and easily execute splunk searches using REST API (HTTP calls) or use the splunk CLI search interface (os system calls) from the language of your choosing.