Splunk Search

How do you create a field value and pass it to a map?

JakeInfoSec
Explorer

So, the reason I am looking to do this search is because the logs for this system are not the greatest and, therefore, what I do is take an initial account I am investigating, search on that account for logins, and then use the session IDs from those logins and search on those session IDs. The reason is because the IPs and account names are not always included in every event/log for that particular session. I would like to be able to pass in the IP into each of the events that map is running over so that they can be created as a new field on that event. That way, I can make a table to track what IP was mapped to which session ID.

Here is what I have so far

index=blah METHODNAME="/login" OR METHODNAME="/logonuser" "accountname" |rex field=DESCRIPTION "from\sip\:(?<ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=DESCRIPTION "from\sip\:\s(?<ip3>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval IP=coalesce(ip2,ip3)| stats count by SessionID IP|map search="search index=blah $IP$ SessionID=$SessionID$" | table _time, SessionID, IP, METHODNAME, _raw

I haven't been able to figure this out and am not sure whether or not this is possible with the map command. But, if not, is there a different way I could solve this issue, perhaps with just a regular subsearch?

0 Karma
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...