I've got a search that results in an IP address. I use that search as a subsearch which takes the IP and uses it as a search arg for the parent search in order to retrieve a hostname from another index. The issue is, the larger the search time the more likely that there is more than one hostname associated with that IP.
Is there any way to pull both an IP and the event's time from the subsearch and use both as args for the parent search?
Here's where I'm at:
[search index="INDEX1" [inputlookup file.csv | fields domain | rename domain as search | format maxresults=3000] | top IP limit=50 | fields IP] index="INDEX2" NOT [inputlookup whitelist.csv |fields hostname|format maxresults=1000] | top hostname by IP
It is possible to pass time from a subsearch. Specifying the use case would allow us to help you rewrite/simplify your current search, but here's a basic example of how you can pass time:
* | eval time=_time | search [search source="my.log" parm=option1 | head 2 | eval time=_time | fields time]
Using eval to set another field to _time
will work. This search should return all events that correspond in time to any my.log events where parm=option1
.
UPDATE:
One thing to note is that your events from multiple sources may not correlate as exact time matches. You might want to round your time values off at the minute or such:
... | eval time=relative_time(_time, "@m")
It is possible to pass time from a subsearch. Specifying the use case would allow us to help you rewrite/simplify your current search, but here's a basic example of how you can pass time:
* | eval time=_time | search [search source="my.log" parm=option1 | head 2 | eval time=_time | fields time]
Using eval to set another field to _time
will work. This search should return all events that correspond in time to any my.log events where parm=option1
.
UPDATE:
One thing to note is that your events from multiple sources may not correlate as exact time matches. You might want to round your time values off at the minute or such:
... | eval time=relative_time(_time, "@m")
So would this be my query?
[search index="INDEX1" [inputlookup file.csv | fields domain | rename domain as search | format maxresults=3000] | top IP limit=50 | eval time=relative_time(_time, "@m") | fields Internal_IP,time] index="INDEX2" NOT [inputlookup whitelist.csv |fields hostname|format maxresults=1000] | eval time=relative_time(_time, "@m")| top hostname by IP
Sure...Here's my use case. Index2 is searched (via the subsearch) for IP addresses that have been contacted by domains listed in the server-side csv. These IPs are passed up to the parent search to be thrown against Index1, our Active Directory logs. The 'top hostname by IP' would ideally return a list of IPs and hostnames with 100% matching. The issue is, if a large timeframe is used (say, 24 hours) there are times when we catch an IP belonging to two different hostnames.