Splunk Search

Using host tags (or similar) when searching on fields?

Ayn
Legend

I have a number of hosts that have a certain tag on them (let's say "sensitive"). I want to look for account lockout events involving these hosts. Normally this would be simple, just using a query like 'eventtype="winaccountlockout" tag="host::sensitive"' - the twist here is that the actual event occurs not on the hosts themselves but rather on the domain controllers. So, i want to search for account lockout events on the domain controllers that involve the hosts i have that are marked as 'sensitive'.

I was thinking something like 'eventtype="winaccountlockout" Caller_Machine_Name=' where the list is somehow taken from the list of hosts with the "host::sensitive" tag. Is there any way to do that, or solve the problem in another way?

Tags (2)
1 Solution

ftk
Motivator

Use a subsearch as such:

eventtype="winaccountlockout" [search tag::host=sensitive | dedup host | rename host as Caller_Machine_Name | fields Caller_Machine_Name  | format]

Or if you don't want to pass the subsearch results back as the specific field (Caller_Machine_Name) just do

eventtype="winaccountlockout" [search tag::host=sensitive | dedup host | fields host | rename host as search]

View solution in original post

ftk
Motivator

Use a subsearch as such:

eventtype="winaccountlockout" [search tag::host=sensitive | dedup host | rename host as Caller_Machine_Name | fields Caller_Machine_Name  | format]

Or if you don't want to pass the subsearch results back as the specific field (Caller_Machine_Name) just do

eventtype="winaccountlockout" [search tag::host=sensitive | dedup host | fields host | rename host as search]

gkanapathy
Splunk Employee
Splunk Employee

Seems like this would be a good place to consider using lookup tables. Possibly you could even replace the tags with lookup table entries.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...