Solved: How to edit my search to get all fields associated...

packet_hunter · ‎08-16-2016

Trying to correlate email security appliance logs to email malware analysis logs.

I am using the following code that returns a field internal_message_id with different values via the--> | stats list(*).

index=AAA sourcetype="Xmail" eventtype=X_email [search index=BBB sourcetype=Y_cef_syslog eventtype=Y suser=*  | fields suser| rex field=suser "(?<attacker>[\w\d\.\-\@]+)" | eval sender= lower(attacker) |table sender] | search internal_message_id=*  |stats list(*)

Within index=AAA, there are a number of events that share the unique value for the internal_message_id field.

Need a little help pulling all the other field values from events (in index=AAA) that share the same unique internal_message_id value.

For example, with each unique internal_message_id, I can stitch together separate events that contain fields such as "sender" , "recipient", "message_subject", "file_name", etc.

Currently the code is returning the correct fields but more than just the specific events related to the subsearch sender results.

Any help greatly appreciated.

somesoni2 · ‎08-17-2016

How about this

index=AAA sourcetype="Xmail" eventtype=X_email [search index=BBB sourcetype=Y_cef_syslog eventtype=Y suser=*  | fields suser| rex field=suser "(?<attacker>[\w\d\.\-\@]+)" | eval sender= lower(attacker) |table sender] | search internal_message_id=*  |stats list(*) by internal_message_id

Update

Try this

index=AAA [ search index=AAA sourcetype="Xmail" eventtype=X_email [search index=BBB sourcetype=Y_cef_syslog eventtype=Y suser=*  | fields suser| rex field=suser "(?<attacker>[\w\d\.\-\@]+)" | eval sender= lower(attacker) |table sender] | stats count by internal_message_id  | table internal_message_id] | table *

View solution in original post

somesoni2 · ‎08-17-2016

How about this

index=AAA sourcetype="Xmail" eventtype=X_email [search index=BBB sourcetype=Y_cef_syslog eventtype=Y suser=*  | fields suser| rex field=suser "(?<attacker>[\w\d\.\-\@]+)" | eval sender= lower(attacker) |table sender] | search internal_message_id=*  |stats list(*) by internal_message_id

Update

Try this

index=AAA [ search index=AAA sourcetype="Xmail" eventtype=X_email [search index=BBB sourcetype=Y_cef_syslog eventtype=Y suser=*  | fields suser| rex field=suser "(?<attacker>[\w\d\.\-\@]+)" | eval sender= lower(attacker) |table sender] | stats count by internal_message_id  | table internal_message_id] | table *

packet_hunter · ‎08-17-2016

I must have accidentally cleaned out your additional post:

Can you just run this and see if it returns just the list of internal_message_id field which corresponds to attacker/sender from index=BBB?

index=AAA sourcetype="Xmail" eventtype=X_email [search index=BBB sourcetype=Y_cef_syslog eventtype=Y suser=*  | fields suser| rex field=suser "(?[\w\d\.\-\@]+)" | eval sender= lower(attacker) |table sender] | stats count by internal_message_id  | table internal_message_id

If above works fine without any problems, copy the above query into following format

 index=AAA [ search   <>   ]  | table *

Yes sir!!! that also works!!! Thank you!

packet_hunter · ‎08-17-2016

Thank you Somesoni2!
I had to clean up the post so not to confuse anyone with my inability to post your query correctly.... d'oh!*&!
This is definitely what I was after, and I thank you for showing how to nest these subsearches correctly.

How to edit my search to get all fields associated with an internal_message_id field?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?