Splunk Search

Help with subsearch

New Member

I have this search 1:

index=br_activedirectory_microsoft EventCode=4624 Account_Domain=AGBANESPA Account_Name=A* 
 | fields Account_Domain, Account_Name, Source_Network_Address
 | dedup Account_Domain, Account_Name, Source_Network_Address
 | lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
 | eval user = substr(mvindex(Account_Name,1),2,4)
 | eval hostname = substr(clienthost,3,4)
 | where user !=hostname
 | lookup new_hostname_lookup hostname as hostname OUTPUT ENDEREÇO, UF, REG, CEP , REDE
 | lookup new_user_lookup user as user OUTPUT ENDEREÇO_user, UF_user, REG_user, CEP_user ,REDE_user
 | where REG !=REG_user AND REDE !=REDE_user
 | table Account_Name
 | rename Account_Name as "Siglas dos usúarios com acessos indevidos"

and I have this search 2:

index="br_activedirectory_microsoft"  EventCode=4624 OR EventCode=4634 Account_Name=A* Account_Domain=AGBANESPA
 | search NOT (Account_Name=$$ OR Account_Name=SYSTEM OR Account_Name=ANONYMOUS*)
 | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
 | eval User=lower(User)
 | search NOT (User=*$$ OR User=system)
 | lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
 | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
 | eval Logofftime=_time+duration
 | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
 | convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
 | eval h=floor(duration/3600) | eval m=floor((duration-(h*3600))/60) | eval s=floor(duration-(h*3600)-(m*60)) | eval SessionDuration=h."h ".m."m ".s."s"
 | dedup Logontime, Logofftime, SessionDuration, User, clienthost
 | table Logontime, Logofftime, SessionDuration, User, clienthost
 | sort User ComputerName

I would like to put the search "1" inside of the search "2" . I have tried doing this following the tutorials, but it's still not working, ---------------I have used the brackets [] and I was sure that the fields and the index were the same in both searches.

 index="br_activedirectory_microsoft"  EventCode=4624 OR EventCode=4634 Account_Name=A* Account_Domain=AGBANESPA
 [ search index="br_activedirectory_microsoft" EventCode=4624 OR EventCode=4634  Account_Domain=AGBANESPA Account_Name=A* 
 | fields Account_Domain, Account_Name, Source_Network_Address
 | dedup Account_Domain, Account_Name, Source_Network_Address
 | lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
 | eval user = substr(mvindex(Account_Name,1),2,4)
 | eval hostname = substr(clienthost,3,4)
 | where user !=hostname
 | lookup new_hostname_lookup hostname as hostname OUTPUT ENDEREÇO, UF, REG, CEP , REDE
 | lookup new_user_lookup user as user OUTPUT ENDEREÇO_user, UF_user, REG_user, CEP_user ,REDE_user
 | where REG !=REG_user AND REDE !=REDE_user
 | table Account_Name
 | rename Account_Name as "Siglas dos usúarios com acessos indevidos"] 
 | search NOT (Account_Name=$$ OR Account_Name=SYSTEM OR Account_Name=ANONYMOUS*)
 | eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
 | eval User=lower(User)
 | search NOT (User=*$$ OR User=system)
 | lookup dnslookup clientip as Source_Network_Address OUTPUT clienthost
 | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1
 | eval Logofftime=_time+duration
 | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as Logontime
 | convert timeformat="%m/%d/%y %H:%M:%S" ctime(Logofftime) as Logofftime
 | eval h=floor(duration/3600) | eval m=floor((duration-(h*3600))/60) | eval s=floor(duration-(h*3600)-(m*60)) | eval SessionDuration=h."h ".m."m ".s."s"
 | dedup Logontime, Logofftime, SessionDuration, User, clienthost
 | table Logontime, Logofftime, SessionDuration, User, clienthost
 | sort User ComputerName

Could you guys help making the right search?

Thanks for all.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Your subsearch has this at the end:

| rename Account_Name as "Siglas dos usúarios com acessos indevidos"

The final field has to be a field that is in your data. If you remove this line, you will have what you need, as the field passed to the base search will now be a field that actually exists in the index.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Your subsearch has this at the end:

| rename Account_Name as "Siglas dos usúarios com acessos indevidos"

The final field has to be a field that is in your data. If you remove this line, you will have what you need, as the field passed to the base search will now be a field that actually exists in the index.

View solution in original post

0 Karma

New Member

It was the problem! thanks nvanderwalt ,you are the man!

0 Karma

Ultra Champion

Can you please explain what you want to achieve? And in what sense "it's still not working"? What output do you get, how is that different from what you expected?

What troubleshooting have you done so far? Have you executed the subsearch (in that exact form) on its own, to confirm that gives the expected result?

0 Karma

SplunkTrust
SplunkTrust

I've added backticks for better readability.

Skalli

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!