Solved: How to search all events from multiple sourcetypes...

festeves · ‎07-20-2016

Hi,

I'm new to Splunk and I want make a search that finds all events from multiple sourcetypes that have a matching field.

For example:
I have a sourcetypeA (theat_script_match) whose only fields is an IP address and I have sourcetypeB (opnsense) with source and dest. IP fields.

I want to be able to do like a wildcard of sourcetypeA (which is much much smaller only ~500 events) and return all events from sourcetypeB that also contain the matching IP's. I can get the results I want using a giant chain of OR statements ie 1.1.1.1.1 OR 1.1.1.1.0 OR ... However that is not a good long term solution.

Here's what I have so far:

sourcetype=opnsense [search sourcetype=Threat_script_match | return threat_src_IP=src_IP]

Any help would be awesome, thanks.

somesoni2 · ‎07-20-2016

You were almost there. Try like this .for field based search e.g. (src_IP=1.1.1.1 OR ..) OR (dest_IP=1.1.1.1 OR...)

sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as src_IP ] OR [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as dest_IP ]

OR (for string based search e.g. 1.1.1.1.1 OR 1.1.1.1.0 OR ..., will be slower)

   sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as search ]

View solution in original post

somesoni2 · ‎07-20-2016

You were almost there. Try like this .for field based search e.g. (src_IP=1.1.1.1 OR ..) OR (dest_IP=1.1.1.1 OR...)

sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as src_IP ] OR [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as dest_IP ]

OR (for string based search e.g. 1.1.1.1.1 OR 1.1.1.1.0 OR ..., will be slower)

   sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as search ]

festeves · ‎07-21-2016

Thanks for the response!
I tried the solutions you offered and made tired my own changes however the search does not return any results.

Sourcetype=Threat_script_match contains events with only one field that is a IP address (Threat_scr_IP)
Sourcetype=opnsense contains events from firewall logs which has many different fields however I am interested in the source IP (src_IP)
What i'm trying to do is search is the intersection of events from both comparing the similar IP fields. Which is to show all the events from opnsense which have matched with the IPs from my threat_script_match. I have been reading about sub-searches and multisearches yet I can't find something similar on splunk docs to what I'm trying accomplish.
Thanks.

somesoni2 · ‎07-21-2016

This should do what you described above

sourcetype=opnsense [search sourcetype=Threat_script_match | stats count by threat_src_IP | rename threat_src_IP as src_IP ]

The subsearch will generate list of distinct threat_src_IP field values and add it to base search as filter for field src_IP. So the resulting search would be like this. This will work if you've both threat_src_IP and src_IP field extracted.

sourcetype=opnsense ((src_IP="X.X.X.X.) OR (src_IP="X.X.X.X.) OR.....(src_IP="X.X.X.X.))

festeves · ‎07-22-2016

Quick update;
I used this search and it returned events that I'd like to see! Thanks!
I'm having some other issues with the timeframe with my script but that's unrelated to this. I'm 1 step closer to a simple automated report i'm trying to do!
Thank you

How to search all events from multiple sourcetypes that have a matching field?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk