- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookback search for related event
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookback search for related event
I'm trying to perform a search that will be used for a notable event that looks for the creation of a load balancer listener on port 80 which is very straightforward:
eventName=CreateListener requestParameters.port=80
However, I only want the notable event to trigger if the result from the search above was applied to an internet facing load balancer which means I'd have to search backwards (with the timestamp of the search above as the start time), for the first result I find of:
eventName=CreateLoadBalancer requestParameters.scheme=internet-facing
I also need to ensure that the load balancer where the listener was created is the same as what is found (if anything) from the CreateLoadBalancer event. In other words, requestParameters.loadBalancerArn (from the CreateListener event) needs to equal responseElements.loadBalancers{}.loadBalancerArn (from the CreateLoadBalancer event).
I'm not necessarily looking for someone that can write this for me (though that would be helpful as well), but if someone could at least point me in the right direction I haven't had much luck searching the forums and documentation for doing exactly what I'm trying to attempt here. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solving those type of lookback searches will depend on how far back you need to look. If in this example, you have an undefined lookback period, then the solution is probably to create a new saved search (report) and run that on a schedule that looks for the
requestParameters.scheme=internet-facingevents and then add those load balancer details to a lookup. Depending on your requirement, you could do that every hour/minute/day/week. In your notable event search, you can simply do the lookup against your table to get the scheme type.
The lookup generating search would simply do the search for internet-facing events, perform a lookup against the existing table and in the event that it does NOT exist, add the new entries to the lookup.
These are the statements you will need to use to achieve that.
| lookup lb_table lb_name OUTPUT some_field
| where isnull(some_field)
| outputlookup append=t lb_tableThe some_field test is a way to check if the lb is already in the table, hence the isnull() test is checking if that does not exist.
You may want to add all LB details to the lookup with the scheme as part of the lookup data, in which case, modify the base search has as appropriate, but then in the lookup of the notable search, you would need to lookup the lb_name (or whatever field you need - ip) as well as the scheme type, e.g.
| eval lb_scheme="internet-facing"
| lookup lb_table lb_name lb_schemeHope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is great information - it's going to take me some time to try it out but I'm hopeful this will work. Thank you for taking the time to respond!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
