Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to pass one value at a time to a search from a subsearch?

dandaily
Explorer
‎06-17-2016 12:47 PM

I am looking to run anomaly detection on failed and successful logons per user per host over a given time frame (7 days with a span of 1 day). My hope is that the search will provide the results of only anomalous counts of logons per user per host. My initial thought was to run a search similar to this:

index=foo (sourcetype=auditd type=USER_AUTH OR type=USER_ERR res=failed op!=password)  host=$host_one_at_a_time$ user=$user_one_at_a_time$ | timechart count by logon| anomalydetection

I don't know how to pass one value at a time to a search from a subsearch and would like to keep it automated. Ideally it would distinguish anomalies per host and user, but I would also be okay with just user. The goal is to identify when a user account gets crazy with successful or failed logins.

Thanks,

0 Karma
Reply

woodcock
Esteemed Legend
‎06-17-2016 01:03 PM

I do not understand your big picture but you can "pass one value at a time to a search from a[nother] search" by using the map command (although you have to turn your thinking inside out a bit).

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...