Splunk Search

Subsearch or ‘let stats sort it out’?

RocIngersol
Explorer

Hey folks. Help!

I have two indexes.

  • Index 1 - Contains an authoritative list of AWSconfig accounts it.
  • index 2 - Contains cloudtrail data - logins by account

I want to list accounts that haven’t been logged into using my AWSconfig account list (index 1) as Index 2 (cloudtrail) only has logs of what has been logged into at some point...

I was going to use a subsearch to get a list of unique accounts from index 1 and then pass that into a search against cloudtrail (index 2) - but was wondering if I could use stats instead (cause y’know subsearches have limitations...)

Thoughts?

Thanks!

Tags (2)
0 Karma
1 Solution

nickhills
Ultra Champion

Personally, I might use a lookup for this task.

I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.

Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.

Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv

Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

somesoni2
Revered Legend

What are the event counts in both indexes (based on the search time range you'll be using)?

0 Karma

nickhills
Ultra Champion

Personally, I might use a lookup for this task.

I would create a scheduled search to build a list of authorisedAWSAccounts.csv from index1 and run that hourly/daily/weekly depending on your needs.

Then you can use that lookup in your search against data in index2 to add an 'isAuthorised" field.

Scheduled Lookup Builder
index=index1 yourSearchFilter|eval isAuthorised=true|table userName arn isAuthorised|outputlookup authorisedAWSAccounts.csv

Search index2
index=index2 yourSearchFilter|lookup authorisedAWSAccounts.csv [userName|arn] OUTPUT isAuthorised|search isAuthorised!=true

If my comment helps, please give it a thumbs up!
0 Karma

RocIngersol
Explorer

I’m not looking for isAuthed per se more ‘from the a deduped list of master accounts in index1, have they been found logging in determined by the Cloudtrail logs in index2.

Lookup could work but.. will try and report back. Thx!

0 Karma

nickhills
Ultra Champion

Ah I see, its more like "from this list of users, who has logged in?"
In that case the lookup is still a viable solution - but maybe you can use a field name like 'reviewLogin' instead of 'isAuthorised'

If my comment helps, please give it a thumbs up!
0 Karma

RocIngersol
Explorer

Yeah. Sounds good!

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...