Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to list the filters of the initial search with the results of a subsearch?

Log_wrangler
Builder
‎10-25-2018 06:57 AM

Here is the scenario.

I have two indexes (index=AV and index=Packet_Analysis)

I use index=AV to find attack signatures and the attacker IP, then I pipe the IP results from this search into index=Packet_Analysis to see if, and when, the attacker IP did a GET from a certain domain.

For example

index=Packet_Analysis method=GET domain="bad.com" [search index=AV attack_sig="Bad stuff" attacker_IP=10.* |stats values(attacker_IP) as src_ip | table src_ip]  |stats values(src_ip) by _time

fyi - in index=AV the attacker_IP correlates to the src_ip in index=Packet_Analysis

The results I need are Attacker_IP, Attack_time, Src_IP, Get_time.

So,I need to display the results from the initial search with the results of the second search (with the respective times as they are different)...

I believe this can be done with fields and eval, however I need an example to get started.

Thank you

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmaron
Motivator
‎10-25-2018 07:20 AM

Try this. Your times will come out as the unix time so you'll need to strftime to make them readable but I think this will get you what you want and then you don't need the subsearch. 

   (index=Packet_Analysis method=GET domain="bad.com") OR (index=AV attack_sig="Bad stuff" attacker_IP=10.*)
    | eval Get_Time = case(index="Packet_Analysis", _time)
    | eval Attack_Time = case(index="AV", _time)
    | eval src_ip = if(index="AV",attacker_IP,src_ip)
    | stats values(Get_Time) as GetTime values(Attack_Time) as AttackTime by src_ip

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kmaron
Motivator
‎10-25-2018 07:20 AM

Try this. Your times will come out as the unix time so you'll need to strftime to make them readable but I think this will get you what you want and then you don't need the subsearch. 

   (index=Packet_Analysis method=GET domain="bad.com") OR (index=AV attack_sig="Bad stuff" attacker_IP=10.*)
    | eval Get_Time = case(index="Packet_Analysis", _time)
    | eval Attack_Time = case(index="AV", _time)
    | eval src_ip = if(index="AV",attacker_IP,src_ip)
    | stats values(Get_Time) as GetTime values(Attack_Time) as AttackTime by src_ip
0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎10-25-2018 05:50 PM

Thank you for the reply. It got me going. I could not get it to work without coalesce, like this...

(index=Packet_Analysis method=GET domain="bad.com") OR (index=AV attack_sig="Bad stuff" attacker_IP=10.*)
     | eval Get_Time = case(index="Packet_Analysis", _time) | eval GetTime=strftime(Get_Time,"%Y-%m-%dT%H:%M:%S.%Q")
     | eval Attack_Time = case(index="AV", _time) | eval AttackTime=strftime(Attack_Time,"%Y-%m-%dT%H:%M:%S.%Q")
     | eval HostIP=coalesce(Remote_IP, src_ip)
     | stats values(GetTime) as GetTime values(AttackTime) as AttackTime by HostIP

Before I accept your answer, I was hoping you could look at my query and advise if there is a better way to write the strfttime conversion...

Thank you

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎10-26-2018 05:39 AM

if you want your GetTime/AttachTime to look like a timestamp ex: 2018-10-26T08:34:00.000 then your strftime is good.

If you want it to be more person readable you could do this

 eval GetTime=strftime(Get_Time,"%m/%d/%Y %I:%M:%S %p)

Which would make it show like this: 10/16/2018 8:34:00 am

There are a lot of options for formatting.

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎10-26-2018 05:58 AM

Thank you, I really appreciate your help... I wonder if you can advise on another question I have "How do I correlate email events when the key-id is not defined in all events?"

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎10-26-2018 07:12 AM

Without really knowing your data I don't think I can help much but you can always post that as a new question and I'm sure someone would have a good answer (or two).

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...