Splunk Search

Use subsearch results as input token to another search

daishih
Path Finder

I have a dashboard panel search that contains a subsearch that returns formatted results from three source types based on the username entered in the search field:

blocked OR deny [search sourcetype=pan:traffic  
| where user="mydomain\\$userName$"  
| rename src_ip AS src 
| fields src]  
| eval "Source IP" = coalesce(src, src_ip, src_host)  
| eval "Destination IP" = coalesce(dst, dst_ip, dest_ip)  
| eval "Destination Port" = coalesce(dst_port, dest_port)  
| eval "Application" = coalesce(service, appname, application)  
| eval "Destination Zone" = coalesce(dst_zone, dest_zone) 
| table _time, sourcetype,  "Source IP", "Destination IP", "Destination Port", url, "Application", category, src_zone, "Destination Zone", policy_id, action

Currently the search above returns all events in a specified time frame which can be chosen from a drop-down box. However, I want to modify this search to return only the latest IP that matches the username and use it as the input to another search panel that will then kick off a real-time last 30 second search. This in theory should let me see what device is blocking or denying a user from accessing something on the network. The second search below will return the results I want within the time frame, but I have to manually enter the IP:

blocked OR deny 
| search src="$IP$" OR src_ip="$IP$"  
| eval "Source IP" = coalesce(src, src_ip, src_host)  
| eval "Destination IP" = coalesce(dst, dst_ip, dest_ip)  
| eval "Destination Port" = coalesce(dst_port, dest_port)  
| eval "Application" = coalesce(service, appname, application)  
| eval "Destination Zone" = coalesce(dst_zone, dest_zone) 
| table _time, sourcetype,  "Source IP", "Destination IP", "Destination Port", url, "Application", category, src_zone, "Destination Zone", policy_id, action

Is it possible to feed the IP from the first search into the second panel and still retain the ability to manually enter it? How is this accomplished? Are more panel needed? I have to do this because sub search strings don't work in real time! Also only the PaloAlto device knows users by username, the Websense and the Juniper only know the IP. Another issue I see with this is the time frame for finding the user's IP by username. Right now the search window in the first search is set to 15 minutes. Is there some logic I can use to go beyond that 15 minutes if a pan:traffic log matching the user name is not found within the current time frame?

Any/all ideas are welcome 🙂

0 Karma

sundareshr
Legend

Try this

blocked OR deny [search sourcetype=pan:traffic  
 | where user="mydomain\\$userName$"  
 | stats latest(src_ip) as src
 | fields src]  
 | eval "Source IP" = coalesce(src, src_ip, src_host)  
 | eval "Destination IP" = coalesce(dst, dst_ip, dest_ip)  
 | eval "Destination Port" = coalesce(dst_port, dest_port)  
 | eval "Application" = coalesce(service, appname, application)  
 | eval "Destination Zone" = coalesce(dst_zone, dest_zone) 
 | table _time, sourcetype,  "Source IP", "Destination IP", "Destination Port", url, "Application", category, src_zone, "Destination Zone", policy_id, action
0 Karma

daishih
Path Finder

I tried this but I keep getting an error that says "Duplicate values causing conflict" even if I use dedupe.

0 Karma

sundareshr
Legend

Are you using this to populate the dropdown? If yes, try this instead

blocked OR deny [search sourcetype=pan:traffic  
  | where user="mydomain\\$userName$"  
  | stats latest(src_ip) as src
  | fields src]  
  | eval SourceIP = coalesce(src, src_ip, src_host)  
  | stats count by SourceIP
  | fields SourceIP
0 Karma

daishih
Path Finder

I am trying to populate a drop down yes. I tried your suggestion as well as the code below since they both produce the same results in a normal search:

sourcetype=pan:traffic  
| where user="mydomain\\$userName$" 
| table src_ip 
| dedup src_ip

Both search strings do not populate the drop down though, it just sits there and spins 😞

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...