Splunk Search

How to use the result of a first search in entry of a second search?

darphboubou
Explorer

HI,

 

I would like to get the servers who use only ntlmv1.

 

So in a first search I using this command

 

 

 

index="windows" EventCode=4624  AND(host="*-toto")   Authentication_Package=NTLM Package_Name__NTLM_only_="NTLM V1" 

 

 

 

I want to inject the result of this search in a second command line to retrieve the server which using ntlmV2.

 

At the end of those search i Want to get the server that only uses NTLMV1.

 

How can I proceed ?

 

Regards

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

That's different.  We can just merge the two searches to get a list of computers that only use NTLMV1.

index="windows" AND (host="toto")  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by ComputerName
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

It depends on what needs to be passed from the first search to the second, how the passed fields will be used, and what the desired results are.

In general, it's like this

<<second search>> [ <<first search>> ]

The results of the first search are appended to the second search in (foo=bar OR baz=fubar) format.

Tell us more about the problem you're trying to solve and we can be more specific.

---
If this reply helps you, Karma would be appreciated.
0 Karma

darphboubou
Explorer

thanks @richgalloway for your answer.

 

AS you can see in the command line below. Firstable I search for all the computers which using ntlmv1.

 

index="windows" AND (host="toto")  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1" 

 

Lets say that the result of this research give me those 3 computers name

ComputerA

ComputerB

Computer C

 

I want to put this result (this 3 computer) in this command line

index="windows" AND (host="toto")  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V2" 

 


to check if these 3 computers are also using ntlmv2. I want to know if one or more of these computers do not show up after the second search. This way, I will know that computerX never used NTLMV2.


At the end of my search, I want to know the names of the computers that only use NTLMV1.

 

Sorry for my english.

 

Regards

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's different.  We can just merge the two searches to get a list of computers that only use NTLMV1.

index="windows" AND (host="toto")  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by ComputerName
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
---
If this reply helps you, Karma would be appreciated.

darphboubou
Explorer

@richgalloway  Perfect 🙂

0 Karma

darphboubou
Explorer

HOw can I add the Host in the table given by the request. I'm enable to show host field in the result actually

 

index="windows"  EventCode=4624 AND (host=*)  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by Workstation_Name
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) earliest=-1d@d latest=@d | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| table Workstation_Name Package_Name__NTLM_only_  os 
| where isnotnull(os)
| sort Workstation_Name

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Do you want to show the Host field or host field (they're different)?  In which index is the Host field stored (host is in all indexes)?

---
If this reply helps you, Karma would be appreciated.
0 Karma

darphboubou
Explorer

host field  and it's in the windows index

 

host.png

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The challenge with using the host field from the windows index is the stats command does not provide that field.  The command would have to be changed to include the field so it can be added to subsequent table commands for display.

index="windows"  EventCode=4624 AND (host=*)  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ ***values(host) as host*** by Workstation_Name
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) earliest=-1d@d latest=@d | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| table Workstation_Name Package_Name__NTLM_only_  os ***host***
| where isnotnull(os)
| sort Workstation_Name

I used *** to indicate new code.  Remove them before running the query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...