Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use subsearch results as input token to another search

daishih
Path Finder
‎08-08-2016 10:45 AM

I have a dashboard panel search that contains a subsearch that returns formatted results from three source types based on the username entered in the search field:

blocked OR deny [search sourcetype=pan:traffic  
| where user="mydomain\\$userName$"  
| rename src_ip AS src 
| fields src]  
| eval "Source IP" = coalesce(src, src_ip, src_host)  
| eval "Destination IP" = coalesce(dst, dst_ip, dest_ip)  
| eval "Destination Port" = coalesce(dst_port, dest_port)  
| eval "Application" = coalesce(service, appname, application)  
| eval "Destination Zone" = coalesce(dst_zone, dest_zone) 
| table _time, sourcetype,  "Source IP", "Destination IP", "Destination Port", url, "Application", category, src_zone, "Destination Zone", policy_id, action

Currently the search above returns all events in a specified time frame which can be chosen from a drop-down box. However, I want to modify this search to return only the latest IP that matches the username and use it as the input to another search panel that will then kick off a real-time last 30 second search. This in theory should let me see what device is blocking or denying a user from accessing something on the network. The second search below will return the results I want within the time frame, but I have to manually enter the IP:

blocked OR deny 
| search src="$IP$" OR src_ip="$IP$"  
| eval "Source IP" = coalesce(src, src_ip, src_host)  
| eval "Destination IP" = coalesce(dst, dst_ip, dest_ip)  
| eval "Destination Port" = coalesce(dst_port, dest_port)  
| eval "Application" = coalesce(service, appname, application)  
| eval "Destination Zone" = coalesce(dst_zone, dest_zone) 
| table _time, sourcetype,  "Source IP", "Destination IP", "Destination Port", url, "Application", category, src_zone, "Destination Zone", policy_id, action

Is it possible to feed the IP from the first search into the second panel and still retain the ability to manually enter it? How is this accomplished? Are more panel needed? I have to do this because sub search strings don't work in real time! Also only the PaloAlto device knows users by username, the Websense and the Juniper only know the IP. Another issue I see with this is the time frame for finding the user's IP by username. Right now the search window in the first search is set to 15 minutes. Is there some logic I can use to go beyond that 15 minutes if a pan:traffic log matching the user name is not found within the current time frame?

Any/all ideas are welcome 🙂

0 Karma
Reply

sundareshr
Legend
‎08-15-2016 10:19 AM

Try this

blocked OR deny [search sourcetype=pan:traffic  
 | where user="mydomain\\$userName$"  
 | stats latest(src_ip) as src
 | fields src]  
 | eval "Source IP" = coalesce(src, src_ip, src_host)  
 | eval "Destination IP" = coalesce(dst, dst_ip, dest_ip)  
 | eval "Destination Port" = coalesce(dst_port, dest_port)  
 | eval "Application" = coalesce(service, appname, application)  
 | eval "Destination Zone" = coalesce(dst_zone, dest_zone) 
 | table _time, sourcetype,  "Source IP", "Destination IP", "Destination Port", url, "Application", category, src_zone, "Destination Zone", policy_id, action
0 Karma
Reply

daishih
Path Finder
‎08-17-2016 11:21 AM

I tried this but I keep getting an error that says "Duplicate values causing conflict" even if I use dedupe.

0 Karma
Reply

sundareshr
Legend
‎08-17-2016 11:26 AM

Are you using this to populate the dropdown? If yes, try this instead

blocked OR deny [search sourcetype=pan:traffic  
  | where user="mydomain\\$userName$"  
  | stats latest(src_ip) as src
  | fields src]  
  | eval SourceIP = coalesce(src, src_ip, src_host)  
  | stats count by SourceIP
  | fields SourceIP
0 Karma
Reply

daishih
Path Finder
‎08-18-2016 07:56 AM

I am trying to populate a drop down yes. I tried your suggestion as well as the code below since they both produce the same results in a normal search: 

sourcetype=pan:traffic  
| where user="mydomain\\$userName$" 
| table src_ip 
| dedup src_ip

Both search strings do not populate the drop down though, it just sits there and spins 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...