Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pass one value at a time to a search from a subsearch?

dandaily
Explorer
‎06-17-2016 12:47 PM

I am looking to run anomaly detection on failed and successful logons per user per host over a given time frame (7 days with a span of 1 day). My hope is that the search will provide the results of only anomalous counts of logons per user per host. My initial thought was to run a search similar to this:

index=foo (sourcetype=auditd type=USER_AUTH OR type=USER_ERR res=failed op!=password)  host=$host_one_at_a_time$ user=$user_one_at_a_time$ | timechart count by logon| anomalydetection

I don't know how to pass one value at a time to a search from a subsearch and would like to keep it automated. Ideally it would distinguish anomalies per host and user, but I would also be okay with just user. The goal is to identify when a user account gets crazy with successful or failed logins.

Thanks,

0 Karma
Reply

woodcock
Esteemed Legend
‎06-17-2016 01:03 PM

I do not understand your big picture but you can "pass one value at a time to a search from a[nother] search" by using the map command (although you have to turn your thinking inside out a bit).

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...