I am fairly new to Splunk and only have the basics under my belt at best. I'm having trouble proving out the following use case:
Taking a malicious URL (threatURL) from email threat (index=emailThreat) events and then querying the firewall (index=firewall) for any user activity including the referenced malicious URL. So far I have the following search:
index=firewall log_subtype=url [search index=emailThreat | dedup threatUrl | table threatUrl] | table time, url, user
Separately, the the two searches work and return the expected value. However, when put together, the search returns no results. Not sure what I'm missing.
The trick to subsearches is to make sure they return a string that makes sense when it is incorporated into the main search.
Try running the subsearch like this
index=emailThreat | dedup threatUrl | fields threatUrl | format
That will generate the text that the main search will see. Make sure it looks OK and that the firewall index contains a threatUrl field. If the field has a different name, add a rename command before format in the subsearch.
Hi
can you give sample events from indexes?
Anyhow you could try something like
(index=firewall_los log_subtype=url url=*) OR (index=emailThreath threathUrl=* user=*)
| eval commonUrl=coalesce(url, threathUrl)
| stats first(_time) as _time values(user) as user by commonUrl
| table _time, commonUrl, user
The trick to subsearches is to make sure they return a string that makes sense when it is incorporated into the main search.
Try running the subsearch like this
index=emailThreat | dedup threatUrl | fields threatUrl | format
That will generate the text that the main search will see. Make sure it looks OK and that the firewall index contains a threatUrl field. If the field has a different name, add a rename command before format in the subsearch.