Splunk Search
Highlighted

How to use a table as input for a new search

New Member

Hi all. I'm trying to write a search that will list users with more than 5 failed logins in the past 8 hours and then from that result, show those users that have had a failure in the past hour. I've got the first part working with this search:

index="my_index" sourcetype="my_sourcetype" earliest=-10h@h action="failed login" | stats count by username, action | where count > 5 | table username

I now have a table with the usernames I want to run my secondary search for.

How do I take that table and run a new search against it?

Thanks in advance.

0 Karma
Highlighted

Re: How to use a table as input for a new search

Builder
index="my_index" sourcetype="my_sourcetype" earliest=-1h@h   [ search index="my_index" sourcetype="my_sourcetype" earliest=-10h@h latest=-1h@h action="failed login" | stats count by username, action | where count > 5 | table username ] 

The [subsearch] runs first, which produces the list of username which is fed to the main search.
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Useasubsearch#Example_2:_Search_wi...

View solution in original post

0 Karma