Nested sub searches return no result

thierry_15 · ‎06-10-2021

Hi and thanks a lot for your help !

My goal :

Finding processes that made suspicious DNS requests around user Logon

It seems that nested sub searches could make the job so here is my request :

event_simpleName=Process

[search event_simpleName=DNSrequest

[ search ComputerName IN ("Computer*") event_simpleName=UserLogon NOT UserName IN ("SYSTEM","*$","LOCAL SERVICE","DWM-*", "SERVICE LOCAL")
| dedup ComputerName, UserName
| rename _time AS earliest
| eval latest=earliest+120
| fields earliest, latest, ComputerName ]

| where match(DomainName,"(?i)(^.*\.(surf|cam|date|eu)$)")
| where NOT match(DomainName,".*(amaz)") | rename CProcessId as TProcessId | fields ComputerName, TProcessId ]

What I try to do / what I understand :

Subsearch_1 :
- try to find user logon and use dedup to reduce the number of events.
- using "fields", I pass to "Subsearch_2", three "parameters" : earliest, latest, ComputerName. Field "ComputerName" exists in "DNSrequest" data.

Subsearch 2 :
- Using filters "earliest, latest, ComputerName", I search DNS requests made around the user logon time (Logon time + 2 mins)
- fields "ComputerName, ProcessId" are passed to "Main search". These two fields exist in "Process" data

Main search :
- try to find processes based on "ComputerName" and "TProcessId"
- Time range selected in UI is used by this search and Subsearch_1.
Subsearch_2 uses "earliest" and "latest".

The complete request does not return any result, but I have results if I decompose the request.
The issue concerns probably the data / parameters process by "Main search"...but I can't find out more.

Nested sub searches return no result

subsearch

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!