Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to take a result from one search into another search

ejans100
Observer
‎06-18-2018 07:23 PM

Hi, I'm trying to see if there is an easy way to take a result from event error codes, attempting to logon a disabled account for example, and pipe those users/events to see if they ended up successfully logging in. I'm very new to this so any guidance is much appreciated!

Tags (1)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-18-2018 07:47 PM

Hi ejans100,

this is called using a subsearch, and it can provide results from one search to another search. There are some things you need to consider before using subsearches, easiest to read here : http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_con...

To your question, and without knowing anything about your events you can do something like this:

 index=2 [ index=1 account_status="disabled" action="login" | return account ] | ...

what this does is: it runs the subsearch first (important to know!) and returns the account from index=1 for disabled account_status which had a action=login and searches index=2 for accounts found in index=1.
This is a very simple and basic example, there are also other ways to do this using lookups or stats. But give this a try ...

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...