Splunk Search

Nested sub searches return no result

thierry_15
Loves-to-Learn

Hi and thanks a lot for your help !

My goal :

Finding processes that made suspicious DNS requests around user Logon

It seems that nested sub searches could make the job so here is my request :

 

 

event_simpleName=Process

[search event_simpleName=DNSrequest

[ search ComputerName IN ("Computer*") event_simpleName=UserLogon NOT UserName IN ("SYSTEM","*$","LOCAL SERVICE","DWM-*", "SERVICE LOCAL")
| dedup ComputerName, UserName
| rename _time AS earliest
| eval latest=earliest+120
| fields earliest, latest, ComputerName ]

| where match(DomainName,"(?i)(^.*\.(surf|cam|date|eu)$)")
| where NOT match(DomainName,".*(amaz)") | rename CProcessId as TProcessId | fields ComputerName, TProcessId ]

 

 

 

What I try to do / what I understand :

Subsearch_1 :
- try to find user logon and use dedup to reduce the number of events.
- using "fields", I pass to "Subsearch_2", three "parameters" : earliest, latest, ComputerName.  Field "ComputerName" exists in "DNSrequest" data.

Subsearch 2 :
- Using filters "earliest, latest, ComputerName", I search DNS requests made around the user logon time (Logon time + 2 mins)
- fields "ComputerName, ProcessId" are passed to "Main search". These two fields exist in "Process" data

Main search :
- try to find processes based on "ComputerName" and "TProcessId"
- Time range selected in UI is used by this search and Subsearch_1.
Subsearch_2 uses "earliest" and "latest".

The complete request does not return any result, but I have results if I decompose the request.
The issue concerns probably the data / parameters process by "Main search"...but I can't find out more.

Labels (1)
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...