Splunk Search

How to search all events from multiple sourcetypes that have a matching field?

Engager

Hi,

I'm new to Splunk and I want make a search that finds all events from multiple sourcetypes that have a matching field.

For example:
I have a sourcetypeA (theatscriptmatch) whose only fields is an IP address and I have sourcetypeB (opnsense) with source and dest. IP fields.

I want to be able to do like a wildcard of sourcetypeA (which is much much smaller only ~500 events) and return all events from sourcetypeB that also contain the matching IP's. I can get the results I want using a giant chain of OR statements ie 1.1.1.1.1 OR 1.1.1.1.0 OR ... However that is not a good long term solution.

Here's what I have so far:

sourcetype=opnsense [search sourcetype=Threat_script_match | return threat_src_IP=src_IP]

Any help would be awesome, thanks.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You were almost there. Try like this .for field based search e.g. (srcIP=1.1.1.1 OR ..) OR (destIP=1.1.1.1 OR...)

sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as src_IP ] OR [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as dest_IP ]

OR (for string based search e.g. 1.1.1.1.1 OR 1.1.1.1.0 OR ..., will be slower)

   sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as search ]

View solution in original post

SplunkTrust
SplunkTrust

You were almost there. Try like this .for field based search e.g. (srcIP=1.1.1.1 OR ..) OR (destIP=1.1.1.1 OR...)

sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as src_IP ] OR [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as dest_IP ]

OR (for string based search e.g. 1.1.1.1.1 OR 1.1.1.1.0 OR ..., will be slower)

   sourcetype=opnsense [search sourcetype=Threat_script_match | table threat_src_IP | rename threat_src_IP as search ]

View solution in original post

Engager

Thanks for the response!
I tried the solutions you offered and made tired my own changes however the search does not return any results.

Sourcetype=Threatscriptmatch contains events with only one field that is a IP address (ThreatscrIP)
Sourcetype=opnsense contains events from firewall logs which has many different fields however I am interested in the source IP (srcIP)
What i'm trying to do is search is the intersection of events from both comparing the similar IP fields. Which is to show all the events from opnsense which have matched with the IPs from my threat
script_match. I have been reading about sub-searches and multisearches yet I can't find something similar on splunk docs to what I'm trying accomplish.
Thanks.

0 Karma

SplunkTrust
SplunkTrust

This should do what you described above

sourcetype=opnsense [search sourcetype=Threat_script_match | stats count by threat_src_IP | rename threat_src_IP as src_IP ]

The subsearch will generate list of distinct threatsrcIP field values and add it to base search as filter for field srcIP. So the resulting search would be like this. This will work if you've both threatsrcIP and srcIP field extracted.

sourcetype=opnsense ((src_IP="X.X.X.X.) OR (src_IP="X.X.X.X.) OR.....(src_IP="X.X.X.X.))
0 Karma

Engager

Quick update;
I used this search and it returned events that I'd like to see! Thanks!
I'm having some other issues with the timeframe with my script but that's unrelated to this. I'm 1 step closer to a simple automated report i'm trying to do!
Thank you

0 Karma