Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Exclude IP address returned from subsearch in main search

apeadape
Explorer
‎01-06-2022 11:40 AM

Hello,

I've got a search query where I'm looking for unexpected ssh connections to my instances, but I've got one server where my IP address dynamically changes and I want to exclude the IP address of that host because I know there will be expected ssh connections from that IP address.

I'm running a sub search to look at aws description logs, grabbing the IP of the box based on it's name and returning the IP address in hopes I can use it in my main search. So far it's not working how I expect and I'm not sure why.

I would expect not to see entries for hostnameA with usernameA that's coming from a source IP that I'm getting from my subsearch, but my results include those entries.

Here's my search so far:

 

index=X sourcetype=linux_secure eventtype=sshd_authentication action=success
| eval exclude_host_ip=[ search index=X sourcetype=aws:description source=*:ec2_instances (tags.host=* OR tags.Name=*) earliest=-24h latest=now
| eval hostName=coalesce('tags.host', 'tags.Name')
| search hostName=dynamic_ip_hostname
| sort - _time
| dedup private_ip_address
| eval ip="\"".private_ip_address."\""
| return $ip]
| search
NOT (host=hostnameA AND user=usernameA AND user_src_ip=exclude_host_ip)
| table _time, user, host, user_src_ip
| sort - _time
| dedup _time user host user_src_ip
| rename _time as Time, user as "Username", host as "Host", user_src_ip as "Source IP"
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time)

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

apeadape
Explorer
‎01-06-2022 12:46 PM

I've been tinkering with this query off and on for a couple of day before I decided to post here and then of course, an hour after I post this I have an "ah ha" moment and I think this is working now.

Posting my fix here in case anybody has this question in the future. Please let me know if you know of a better or more efficient way to do this 🙂

Instead of doing an eval and then trying to use that value in the main search, I moved the sub search to the field where I'm looking for the value.

index=X sourcetype=linux_secure eventtype=sshd_authentication action=success
NOT (host=hostnameA AND user=usernameA
  AND user_src_ip=[ search index=X sourcetype=aws:description source=*:ec2_instances (tags.host=* OR tags.Name=*) earliest=-24h latest=now
    | eval hostName=coalesce('tags.host', 'tags.Name')
    | search hostName=dynamic_ip_hostname
    | sort - _time
    | dedup private_ip_address
    | eval ip="\"".private_ip_address."\""
    | return $ip])
| table _time, user, host, user_src_ip
| sort - _time
| dedup _time user host user_src_ip
| rename _time as Time, user as "Username", host as "Host", user_src_ip as "Source IP"
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

apeadape
Explorer
‎01-06-2022 12:46 PM

I've been tinkering with this query off and on for a couple of day before I decided to post here and then of course, an hour after I post this I have an "ah ha" moment and I think this is working now.

Posting my fix here in case anybody has this question in the future. Please let me know if you know of a better or more efficient way to do this 🙂

Instead of doing an eval and then trying to use that value in the main search, I moved the sub search to the field where I'm looking for the value.

index=X sourcetype=linux_secure eventtype=sshd_authentication action=success
NOT (host=hostnameA AND user=usernameA
  AND user_src_ip=[ search index=X sourcetype=aws:description source=*:ec2_instances (tags.host=* OR tags.Name=*) earliest=-24h latest=now
    | eval hostName=coalesce('tags.host', 'tags.Name')
    | search hostName=dynamic_ip_hostname
    | sort - _time
    | dedup private_ip_address
    | eval ip="\"".private_ip_address."\""
    | return $ip])
| table _time, user, host, user_src_ip
| sort - _time
| dedup _time user host user_src_ip
| rename _time as Time, user as "Username", host as "Host", user_src_ip as "Source IP"
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time)

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...