Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass a user ID to a new query?

rip_leroi
Explorer
‎03-01-2022 01:28 PM

I'm attempting to build a search around Okta authentication logs.  I want to run a query to check for any Multi factor update/change, collect the user ID and pass that to another search where I see the geolocation data where the User has authenticated previously over a specific time span.  Essentially, I'm trying to build a search to see if a user that requested an MFA change is doing it from a different geolocation than they normally authenticate from.

The query below shows all users that have have a MFA change with their corresponding geolocation data.  Is there a way to pass the user ID(s) to a different search where I can look at 7 days worth of their authentication activity to see if the geolocation matches? 

I've researched sub-searches but that doesn't work because I need the user ID first but the subsearch runs first and I don't have the user ID yet.  I looked at map which seems like it's the best solution, but there a lot of warnings about it being resource intensive.  If anyone can point me in the right direction, it would be very much appreciated.

 

 

index=okta eventType="user.mfa.factor.update" | stats values(actor.id), values(client.geographicalContext.State)

 

 

 

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-02-2022 12:58 AM

It can help other people to help if you can illustrate how the "another search" looks like, especially as you mentioned resource as a concern.

sub-searches but that doesn't work because I need the user ID first but the subsearch runs first and I don't have the user ID yet.

Why not use that illustrated query that returns users with MFA geolocation change as subsearch, then?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...