Splunk Search
Highlighted

Problems with subsearch and returning multiple fields

Explorer

Hello I'm trying t run the following search:

Using subsearch I collect from DNS logs the source IP address and the domain they looked up.
Then using the source IP address query the windows security event logs to see user using the IP address at the time.
Create output with the destination, source IP, userdetails

I'm having problems with subsearch and returning values.
How do you return multiple fields and then search further only using one of the fields (src in this case)?

[ search sourcetype="dns" "specific urls" | dedup src | return src query ]
sourcetype="WinSecurityEvent" src
| dedup accountname | stats values(accountname) AS accounts | table query, src, accounts

Or is there better way doing this?

Tags (1)
0 Karma
Highlighted

Re: Problems with subsearch and returning multiple fields

Splunk Employee
Splunk Employee

Hi reinoheinanen,

You can use the fields command in your subsearch to return a specified fields as arguments for the outer search. For example:

... [ search sourcetype="dns" "specific urls" | dedup src | fields src] ... 

There are other ways you can change the format of subsearch results to meet your needs. For more information, please refer to documentation: http://docs.splunk.com/Documentation/Splunk/6.5.1/Search/Changetheformatofsubsearchresults

Hope this helps. Thanks!
Hunter

0 Karma
Highlighted

Re: Problems with subsearch and returning multiple fields

Explorer

Thanks Hunter,

So now I have another problem. The link you provided had details about format command which I was hoping to use to modify returned search result so that it will work with multiple returned fields.

Splunk docs says:
"The format command changes your subsearch results into a single linear search string. This is used when you want to pass the returned values in the returned fields into the primary search."

I have managed to get the query to work if I return a single field. But it doesn't work if I pipe it to format. Seem primary search doesn't work with the returned linear search string?

[ search sourcetype="dns" "specific urls" | dedup src | return 3 srcip=src | format ]
sourcetype="WinSecurityEvent"
| dedup accountname | stats values(accountname) AS accounts | table query, src
ip, accounts

The formatted search string that is returned contains (this does not work):
( ( "(srcip=\"10.10.10.1\") OR (srcip=\"10.10.10.2\") OR (src_ip=\"10.10.10.3\")" ) )

Without format (this works):
(srcip="10.10.10.1") OR (srcip="10.10.10.2") OR (src_ip="10.10.10.3")

Is there a bug or am I missing something from my command or I'm supposed to modify linear search strings somehow before they can be used with primary search?

Thanks,

0 Karma
Highlighted

Re: Problems with subsearch and returning multiple fields

Explorer

I managed to get this to work but had to do it slightly differently.

As Splunk doesn't seem to support proper control over what to do with results that are returned from sub searches I had to run two separate sub searches using OR between them.

(index=winsec sourcetype="WinSecurityEvent" src [ search sourcetype="dns" "specific urls" | dedup src | return 100 srcip=src ] ) OR
(index=DNS [ search sourcetype="dns" "specific urls" | dedup src | return 100 query ])
| dedup accountname | stats values(accountname) AS accounts | table query, src
ip, accounts

0 Karma