Solved: Use search results for another search

afont · ‎11-08-2010

Hi,

I want to use the search results as an argument for another search (with different source), like this more or less...:

source=/var/log/remots/ns_traffic.log dst=[search sourcetype="snort" | fields dest_ip]

Is this possible? Which is the right way to do it?

Thanks in advance, Alex

ziegfried · ‎11-08-2010

source=/var/log/remots/ns_traffic.log [search sourcetype="snort" | fields dest_ip | rename dest_ip as dst]

You can also take a look on the search restriction created by the subsearch by executing this search:

sourcetype="snort" | fields dest_ip | rename dest_ip as dst | format

afont · ‎11-08-2010

Hi Ziegfried!

The search:

source=/var/log/remots/ns_traffic.log [search sourcetype="snort" | fields dest_ip | rename dest_ip as dst]

worked better than mine... 😉 i think that the main thing was on the rename command, which tells splunk to match the different fields, isn't it?

thanks! Alex

afont · ‎11-08-2010

i think i found it...

source=/var/log/remots/ns_traffic.log |fields dst [search sourcetype="snort" dest_ip]

is that the right way to correlate the different results?

Alex

ziegfried · ‎11-08-2010

source=/var/log/remots/ns_traffic.log [search sourcetype="snort" | fields dest_ip | rename dest_ip as dst]

You can also take a look on the search restriction created by the subsearch by executing this search:

sourcetype="snort" | fields dest_ip | rename dest_ip as dst | format

Use search results for another search