Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use search results in a table in a new search also using row count?

dt9150813
Engager
‎10-09-2024 06:09 AM

I'm still learning Splunk and would like to learn how to combine some searches.

Goal: Use the VPN search results to perform firewall searches according to how many VPN records found.

Example:
1. Search the vpn index to get a table of assigned_ip and the login/logout time:

 

index=vpn computer_name=Desktop_1 | table assigned_ip login_time logout_time

 

 

assigned_iplogin_timelogout_time
10.255.111.11217284095001728459000
10.255.119.19917283920831728401383

 

2. Use the result above to do a firewall search (I'd like to use results from step 1 instead of the hardcoded values. I also want to append separate rows found in step 1 to find firewall records during different ip assignments):

 

index=firewall source_ip=10.255.111.112 earliest=1728409500latest=1728459000
| append [ search index=firewall source_ip=10.2555.119.199 earliest=1728392083 latest=1728401383 ] 
| stats count by destination_ip

 

 
The closest I got so far is using separate subsearch returns, which takes longer to run and doesn't seem to return more than 1 value:

 

index=firewall
source_ip=[ search index=vpn computer_name=Desktop_1 | return $assigned_ip ]

latest=[ search index=vpn computer_name=Desktop_1 | return $logout_time ] 

earliest=[ search index=vpn computer_name=Desktop_1 | return $login_time] 

| stats count by destination_ip

 

 
Is there a way to do this? I also tried to use tojson(), but it returns 1 table row into its own json object that I can't use together for the firewall search.

Thank you so much in advance 🙂

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2024 06:37 AM

Try something like this

index=firewall [ search index=vpn computer_name=Desktop_1 | table assigned_ip login_time logout_time | rename login_time as earliest | rename logout_time as latest ] 
| stats count by destination_ip

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2024 06:37 AM

Try something like this

index=firewall [ search index=vpn computer_name=Desktop_1 | table assigned_ip login_time logout_time | rename login_time as earliest | rename logout_time as latest ] 
| stats count by destination_ip
0 Karma
Reply
Solved! Jump to solution

dt9150813
Engager
‎10-09-2024 10:09 AM

That works! Thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...