Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my subsearch syntax to combine the results of my two searches?

tinylund
Explorer
‎08-29-2016 07:57 AM

Thanks in advance for any assistance..

I am trying to create an alert that creates a table that shows sourceIP, country, LogMessageID, VPNuser and VPNgroup for attempted VPN connections. I get the sourceIP for successful session creations to the IP address of the VPN devices.

     host=<perimeterFW> session_state!="denied" destIP=<VPN device IP> | iplocation sourceIP | table sourceIP country

That search works - I get a table showing all the sourceIPs and corresponding Countries.

I have extracted some fields from the internal firewall logs, LogMessageID, VPNsourceIP, VPNuserID and VPNgroupID.

Then I want to search the internal firewall logs to see if the sessions was successful (LogMessageID = 113039) or unsuccessful (LogMessageID = 302014). If I create a search:

     host=<internal firewall> (LogMessageID = 113039 OR LogMessageID=302014) | table LogMessageID VPNsourceIP VPNuserID VPNgroupID

Again, I successfully produce a table with the LogMessageID, VPNsourceIP, VPNuserID, and VPNgroupID.

Now I want to combine the two searches in an alert that triggers each time a VPN session is attempted:

  host=<perimeterFW> session_state!="denied" destIP=<VPN device IP> | iplocation sourceIP | (haven't found the correct command) [ host=<internal firewall> VPNsourceIP=sourceIP (LogMessageID = 113039 OR LogMessageID=302014) | return LogMessID=LogMessageID VPNuser=VPNuserID VPNgroup=VPNgroupID ] | table sourceIP Country LogMessID VPNuser VPNgroup

Currently I get a table with the sourceIP and country, but the other 3 columns are blank.

Thanks for your assistance.

0 Karma
Reply

sundareshr
Legend
‎08-29-2016 09:46 AM

See if this helps

(host=<perimeterFW> session_state!="denied" destIP=<VPN device IP>) OR (host=<internal firewall> (LogMessageID = 113039 OR LogMessageID=302014)) | eval ip=coalesce(sourceIP, VPNsourceIP) | iplocation ip | stats values(Country) as Country, values(LoGMessID) as LogMessID values(VPNuser) as VPNuser values(VPNgroup) as VPNgroup by ip
Reply

tinylund
Explorer
‎08-29-2016 10:39 AM

Went back to:

 (host= session_state!="denied" destIP=) OR (host= (LogMessageID = 113039 OR LogMessageID=302014)) | eval ip=coalesce(sourceIP, VPNsourceIP) | iplocation ip | stats values(Country) as Country, values(LoGMessID) as LogMessID values(VPNuser) as VPNuser values(VPNgroup) as VPNgroup by ip

removed the LogMessageID=302014 - for unsuccessful and now I get a table with successful connections populating the message, user and group column (unsuccessful connections have the 3 columns unpopulated). Now I will just audit for accuracy.

Reply

sundareshr
Legend
‎09-09-2016 03:15 PM

@tinylund did this check out OK. If it did, please mark the answer as accepted to close out the question.

0 Karma
Reply

tinylund
Explorer
‎08-29-2016 10:28 AM

Stepped backwards - that gives me 0 events

0 Karma
Reply

tinylund
Explorer
‎08-29-2016 10:08 AM

If I remove the sourceIP=VPNsourceIP from the second search, it tries to populate the other 3 columns - is there not a way to tie the second search to the sourceIP of the first search?

0 Karma
Reply

sundareshr
Legend
‎08-29-2016 10:12 AM

Try this

   host=<perimeterFW> session_state!="denied" destIP=<VPN device IP> | iplocation sourceIP | join sourceIP [ host=<internal firewall> (LogMessageID = 113039 OR LogMessageID=302014) | rename VPNSourceIP as SourceIP | return LogMessID VPNuser VPNgroup ] | table sourceIP Country LogMessID VPNuser VPNgroup
0 Karma
Reply

tinylund
Explorer
‎08-29-2016 10:06 AM

I still only get the IP and country in the table, the firewall message ID, VPN user and VPN group are still unpopulated.

0 Karma
Reply

sundareshr
Legend
‎08-29-2016 10:36 AM

Can you verify the fields names in this search? This should give all the fields (provided their the right fields).

0 Karma
Reply

kiran331
Builder
‎08-29-2016 09:18 AM

Use Join command:

 host= session_state!="denied" destIP= | iplocation sourceIP |join sourceIP [search  host=  (LogMessageID = 113039 OR LogMessageID=302014) | rename VPNsourceIP  as sourceIP ]| table sourceIP Country LogMessID VPNuser VPNgroup
0 Karma
Reply

tinylund
Explorer
‎08-29-2016 09:47 AM

The join documentation states:

A join is used to combine the results of a search and subsearch if specified fields are common to each.

The fields in the subsearch are not common to the first search.

0 Karma
Reply

JoshuaJohn
Contributor
‎08-29-2016 09:16 AM 
host= session_state!="denied" destIP= | iplocation sourceIP | append [ host= VPNsourceIP=sourceIP (LogMessageID = 113039 OR LogMessageID=302014) | return LogMessID=LogMessageID VPNuser=VPNuserID VPNgroup=VPNgroupID ] | table sourceIP Country LogMessID VPNuser VPNgroup

Did you try append?
or the join command?

https://answers.splunk.com/answers/144351/what-are-the-differences-between-append-appendpipe.html
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Join

0 Karma
Reply

tinylund
Explorer
‎08-29-2016 09:46 AM

The append command states that is will not work in real-time, I am trying to get an alert that will monitor VPN connections in real-time.

The join documentation states:

A join is used to combine the results of a search and subsearch if specified fields are common to each.

The fields in the subsearch are not common to the first search.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...