Splunk Search

How do you create a field value and pass it to a map?

JakeInfoSec
Explorer

So, the reason I am looking to do this search is because the logs for this system are not the greatest and, therefore, what I do is take an initial account I am investigating, search on that account for logins, and then use the session IDs from those logins and search on those session IDs. The reason is because the IPs and account names are not always included in every event/log for that particular session. I would like to be able to pass in the IP into each of the events that map is running over so that they can be created as a new field on that event. That way, I can make a table to track what IP was mapped to which session ID.

Here is what I have so far

index=blah METHODNAME="/login" OR METHODNAME="/logonuser" "accountname" |rex field=DESCRIPTION "from\sip\:(?<ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=DESCRIPTION "from\sip\:\s(?<ip3>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval IP=coalesce(ip2,ip3)| stats count by SessionID IP|map search="search index=blah $IP$ SessionID=$SessionID$" | table _time, SessionID, IP, METHODNAME, _raw

I haven't been able to figure this out and am not sure whether or not this is possible with the map command. But, if not, is there a different way I could solve this issue, perhaps with just a regular subsearch?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...