Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using search result(s) in a second, separate search

MikeElliott
Communicator
‎03-13-2018 09:58 AM

Hi All,

I am looking to create a dashboard to support ongoing investigations. This dashboard will have many panels for logs such as windows event logs, web proxy logs, email gateway logs, endpoint protection logs, etc.

As per the below image, I would like to run an "AD_User_Search" which will return field values for "User_ID" and "Email_Address".

I would like the "WinEventLog_Search" and the "WebProxy_Search" to read the "User_ID" value returned from the "AD_User_Search" and then return relevant data from the windows event logs/web proxy logs. Likewise, the "EmailTraffic_Search" to read the "Email_Address" value returned from the "AD_User_Search" and return relevant data from the email gateway logs.

alt text

Can anyone advise the best way to go about this?

Tags (2)
Preview file
1 KB
0 Karma
Reply

Sukisen1981
Champion
‎03-13-2018 10:23 AM

Hi,

There are several options here :

1)Use token drilldowns. Now your main panel is AD_user_search, that is perhaps just a list of user,email addr,user id. You can add some other stuff to the panel if some other 1-1 user information is present.
2) I would implement a row drill down to 3 other panels event log search, proxy search and email traffic search. I would pass a token value (on row selection) on these 3 child panels which will be populated by clicking on one row of the main 'ad_user_searc'h panel to fetch the user id (for log search, proxy search) and email addr (for email traffic search) respectively.
3) Default value set to ALL for all 3 child panels.
4) token drill down behavior - as soon as a row in the main panel is clicked, the values for user id and email addr is passed to the 3 child panels which will then show the requisite data on the same. The main thing is to pass the selected row token values to the respective panels. http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/DrilldownIntro

0 Karma
Reply

anjambha
Communicator
‎03-13-2018 10:19 AM

Hi MikeElliott,

You can depend other three panels of dashboard on the "AD_User_Search" panel.

Or

Create drop-down of user_id and email_address from "AD_User_Search".

0 Karma
Reply

MikeElliott
Communicator
‎03-13-2018 10:29 AM

Hi anjambha,

In your second suggestion, how would we populate the drop downs with the results from the "AD_User_Search"?

An example search string for the "AD_User_Search" would be index=active_directory username=XXX | table username user_id email_address

0 Karma
Reply

anjambha
Communicator
‎03-13-2018 10:41 AM

So, in this case for proper output you can create three drop-down input ..
1)index=active_directory | dedup username | table username
2) index=active_directory username=$username$ | table user_id
3)index=active_directory |username=$username$ | table email_address

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...