Splunk Search

Search within the search

bigll
Path Finder

I need to identify hosts with errors, but only in block mode
MY SPL
---------

index=firewall event_type="error [search index=firewall sourcetype="metadata" enforcement_mode=block]
| dedup host
| table event_type, host, ip

 
------------------

each search works separately, but combined it seating on "parsing job"  with no result for long time.

Thank you 

Labels (1)
Tags (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

As both searches invoke the same index, there is probably not much point (unless you have a very very specific use case) to use subsearch here.

Just search for

index=firewall event_type=error sourcetype=metadata enforcement_mode=block

Because that's effectively what your search would do.

Having said that - that is probably _not_ what you need.

I'd hazard a guess that you're probably looking for something like

index=firewall
| stats values(event_type) as event_types values(sourcetype) as sourcetypes values(enforcement_mode) as enforcement_modes
| where enforcement_mode="block"

 

0 Karma

bigll
Path Finder

Something in my solution is not right.
It works for only one condition (one or another) but combined produced zero events

---------
Events reported 
-----------

index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block
|table event_type, hostname, ip


-------------

Events reported
-----------

index=firewall (sourcetype=collector OR sourcetype=metadata) event_type="error"
|table event_type, hostname, ip

------------
No events reported

index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block event_type="error"
|table event_type, hostname, ip
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried my suggestion?

bigll
Path Finder

Thank you very much for your help.

The code that works  🙂
-------

index=firewall event_type="error" [search index=firewall sourcetype="metadata" enforcement_mode=block
| dedup host1
| table host1
| format]
|  dedup host
| table event_type, host, ip


-----------

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Be aware that subsearches have limitations and it can be nasty if you hit the limit because the search will be finalized silently. You won't know something's not right.

Also the

| dedup host
| table host

part is quite suboptimal.

And in general be wary when using the dedup command (you have it in outer search as well) - it might behave differently than you'd expect.

0 Karma

bigll
Path Finder

Since it's the same index with two different source types, could be SPL build differentially?
-------------------

index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block event_type="error"
|table event_type, hostname, ip



Thank you

 

0 Karma

bigll
Path Finder

Something in my solution is not right.
It works for only one condition (one or another) but combined produced zero events

---------
Events
index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block
|table event_type, hostname, ip
-------------

Events

index=firewall (sourcetype=collector OR sourcetype=metadata) event_type="error"
|table event_type, hostname, ip

------------
No events

index=firewall (sourcetype=collector OR sourcetype=metadata) enforcement_mode=block event_type="error"
|table event_type, hostname, ip
--------------

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=firewall (sourcetype=collector OR sourcetype=metadata) (enforcement_mode=block OR event_type="error")
|table event_type, hostname, ip
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You haven't told us what you want the search to do so I'm only guessing. Probably your hosts log events which have either enforcement_mode=block field or event_type=error field but no single event has both of these fields set. So your "combined" search will not find them because both conditions aren't fulfilled in a single event.

That's why you need to correlate multple events by using either transaction or stats (the stats approach is preferred due to transaction command's limitations).

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could do that, if it gives you what you need.

0 Karma

bigll
Path Finder

Thank you.

Because in different data source I see host name under different fields 
i.e. in metadata "host1" and in collector just "host", I added rename

index=firewall event_type="error" [search index=firewall sourcetype="metadata" enforcement_mode=block
| rename host1 as host
|dedup host
| table host
| format]
| table event_type, host, ip


--------
Now I am back to square 1  - it runs but no events produced and never finish.


0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

host is a field sometimes populated by Splunk to identify where logs were ingested from - could this be your issue?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=firewall event_type="error" [search index=firewall sourcetype="metadata" enforcement_mode=block
| dedup host
| format]
| table event_type, host, ip 
0 Karma

bigll
Path Finder

Thank you. 
Unfortunately proposed change produced 0 events

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, I missed a line, try this

index=firewall event_type="error" [search index=firewall sourcetype="metadata" enforcement_mode=block
| dedup host
| table host
| format]
| table event_type, host, ip 
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...