Splunk Search

Modify search term before search

Isaac_Hailperin
Engager

I would like to modify my search term before I actually search for it. Background: I want to see how the MX for a certain domain connects to my MX. Say I want to know how (e.g. with TLS) the mail relay for acme.org connects - If I search for acme.org in my maillog, I find nothing, because the MX record for acme.org might be coolmailer.com. Currently do the lookup by hand before I search, but it would to cool to integrate this step into the splunk search. I tried using a scripted lookup, but I fail using a lookup before getting any results from search.

Something along the lines of

sourcetype=whatever  give_mx_record_of("acme.org")  |stats count by encryption_level

where give_mx_record_of("acme.org") would return coolmailer.com, which is what would be searched for, so while I enter acme.org into my (saved)search (because that is what I know), splunk actually searches for

sourcetype=whatever coolmailer.com |stats count by encryption_level

This particular example would probably yield just one line, or no result. I have a python script that does the conversion of acme.org to coolmailer.com, currently in the form of a lookup script (scripted lookup), but if it helps I can transform it to any other format.

Can splunk do such a thing, and if yes, how?

0 Karma

lguinn2
Legend

Perhaps a subsearch would work for you.

index=wherever [ search index=mxstuff acme.org | other search stuff | fields mx_name ]

Terrible example, but you haven't given much to go on. The search within the brackets is the subsearch. It executes first, and the results of the subsearch become terms in the base search. You may want to read more in the manual About subsearches

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...