Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to take a result from one search into another search

ejans100
Observer
‎06-18-2018 07:23 PM

Hi, I'm trying to see if there is an easy way to take a result from event error codes, attempting to logon a disabled account for example, and pipe those users/events to see if they ended up successfully logging in. I'm very new to this so any guidance is much appreciated!

Tags (1)
0 Karma
Reply

MuS
Legend
‎06-18-2018 07:47 PM

Hi ejans100,

this is called using a subsearch, and it can provide results from one search to another search. There are some things you need to consider before using subsearches, easiest to read here : http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_con...

To your question, and without knowing anything about your events you can do something like this:

 index=2 [ index=1 account_status="disabled" action="login" | return account ] | ...

what this does is: it runs the subsearch first (important to know!) and returns the account from index=1 for disabled account_status which had a action=login and searches index=2 for accounts found in index=1.
This is a very simple and basic example, there are also other ways to do this using lookups or stats. But give this a try ...

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...