Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass a value from a search to another search?

xnx_1012
Explorer
‎05-03-2020 11:55 PM

I have two sources
- /var/log/secure
- /var/log/audit/audit.log

Here is my SPL so far

(index=* source="/var/log/secure" AND "*sudo*"  AND ("*chown*" OR "*useradd*" OR "*adduser*" OR "*userdel*" OR "*chmod*" OR "*usermod*")  AND COMMAND!="*egrep*") OR
    (index="*" source="/var/log/audit/audit.log" addr!=? res=success* [search index=* source="/var/log/secure" AND "*sudo*"  AND ("*chown*" OR "*useradd*" OR "*adduser*" OR "*userdel*" OR "*chmod*" OR "*usermod*")  AND COMMAND!="*egrep*"
| dedup date_month date_mday 
| fields date_month date_mday])
| regex _raw!= ".*user NOT in sudoers.*"
| rename acct as Users   
| rex field=_raw "(?<=sudo:)\s*(?P[[:alnum:]]\S*[[:alnum:]])\s*(?=\:).*(?<=COMMAND\=)(?.*)"
| eval "Command/Events" = replace(command,"^(\/bin\/|\/sbin\/)","")

| eval Users = if(match(Users,"(?<=[[:alnum:]])\@[[:alnum:]]\S*[[:alnum:]]"),
    replace(Users,"(?<=[[:alnum:]])\@[[:alnum:]]\S*[[:alnum:]]",""),
    if(match(Users,"[[:alnum:]]+\\\(?=[[:alnum:]]\S*[[:alnum:]])"),
    replace(Users,"[[:alnum:]]+\\\(?=[[:alnum:]]\S*[[:alnum:]])","")
    ,Users))

| eval Time = if(source=="/var/log/secure" ,strftime(_time, "%Y-%d-%m %H:%M:%S"),null()), Date = strftime(_time, "%Y-%d-%m")
| eval "Report ID" = "ABLR-007"
| eval "Agency HF" = if(isnull(agencyhf),"",agencyhf)
| stats list(Time) as Time list("Command/Events") as "Command/Events" latest(addr) as "IP Address" by Users Date host index "Report ID" "Agency HF"
| where 'Command/Events' !=""
| eval counter=mvrange(0,mvcount(Time))
| streamstats count as sessions
| stats list(*) as * by sessions counter
| foreach Time "Command/Events"  [ eval <> = mvindex('<>', counter)]
| fields - counter sessions
| rename index as Agency, host as Hostname
| fields "Report ID" Time Agency Command/Events Hostname Users "IP Address" "Agency HF"

Problem
The SPL runs slow when I have a big data. I just want to know if it its possible to trim down the results returned by /var/log/audit/audit.log by passing the latest time in /var/log/secure. For example the latest record in /var/log/secure is May 5 2020, 2pm... is it possible to run a search for the other one, /var/log/audit/audit.log , that is from May 5 2020 00:00 to May 5 2pm? and if I have other events too like Feb 3 8 pm as the latest time... can I achieve it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-04-2020 03:36 AM

Hello @xnx_1012 ,

you can definetely optimize this search.

Your question: I just want to know if it its possible to trim down the results returned by /var/log/audit/audit.log by passing the latest time in /var/log/secure. - I hope somebody can advice on this better than me.

The SPL runs slow when I have a big data. - I think this caused by using too broad and not exact search criteria. Depending on your environment these adjustments can provide a majour speedup:

  • specify index explicitly: replace index=* with index=your_index
  • use TERM(useradd) instead of *useradd*
  • try to use stats instead of subsearch
  • restrict the time range

Let me know if it worked

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-04-2020 03:36 AM

Hello @xnx_1012 ,

you can definetely optimize this search.

Your question: I just want to know if it its possible to trim down the results returned by /var/log/audit/audit.log by passing the latest time in /var/log/secure. - I hope somebody can advice on this better than me.

The SPL runs slow when I have a big data. - I think this caused by using too broad and not exact search criteria. Depending on your environment these adjustments can provide a majour speedup:

  • specify index explicitly: replace index=* with index=your_index
  • use TERM(useradd) instead of *useradd*
  • try to use stats instead of subsearch
  • restrict the time range

Let me know if it worked

0 Karma
Reply
Solved! Jump to solution

xnx_1012
Explorer
‎05-04-2020 06:10 AM

Thank you for your reply, is TERM faster that's why you suggest me how to use it and how can I implement stats, sorry a bit new to it

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...