How to take a result from one search into another ...

ejans100 · ‎06-18-2018

Hi, I'm trying to see if there is an easy way to take a result from event error codes, attempting to logon a disabled account for example, and pipe those users/events to see if they ended up successfully logging in. I'm very new to this so any guidance is much appreciated!

MuS · ‎06-18-2018

Hi ejans100,

this is called using a subsearch, and it can provide results from one search to another search. There are some things you need to consider before using subsearches, easiest to read here : http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_con...

To your question, and without knowing anything about your events you can do something like this:

 index=2 [ index=1 account_status="disabled" action="login" | return account ] | ...

what this does is: it runs the subsearch first (important to know!) and returns the account from index=1 for disabled account_status which had a action=login and searches index=2 for accounts found in index=1.
This is a very simple and basic example, there are also other ways to do this using lookups or stats. But give this a try ...

Hope this helps ...

cheers, MuS

How to take a result from one search into another search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!