Splunk Search

Using search result(s) in a second, separate search

MikeElliott
Communicator

Hi All,

I am looking to create a dashboard to support ongoing investigations. This dashboard will have many panels for logs such as windows event logs, web proxy logs, email gateway logs, endpoint protection logs, etc.

As per the below image, I would like to run an "AD_User_Search" which will return field values for "User_ID" and "Email_Address".

I would like the "WinEventLog_Search" and the "WebProxy_Search" to read the "User_ID" value returned from the "AD_User_Search" and then return relevant data from the windows event logs/web proxy logs. Likewise, the "EmailTraffic_Search" to read the "Email_Address" value returned from the "AD_User_Search" and return relevant data from the email gateway logs.

alt text

Can anyone advise the best way to go about this?

Tags (2)
0 Karma

Sukisen1981
Champion

Hi,

There are several options here :

1)Use token drilldowns. Now your main panel is AD_user_search, that is perhaps just a list of user,email addr,user id. You can add some other stuff to the panel if some other 1-1 user information is present.
2) I would implement a row drill down to 3 other panels event log search, proxy search and email traffic search. I would pass a token value (on row selection) on these 3 child panels which will be populated by clicking on one row of the main 'ad_user_searc'h panel to fetch the user id (for log search, proxy search) and email addr (for email traffic search) respectively.
3) Default value set to ALL for all 3 child panels.
4) token drill down behavior - as soon as a row in the main panel is clicked, the values for user id and email addr is passed to the 3 child panels which will then show the requisite data on the same. The main thing is to pass the selected row token values to the respective panels. http://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/DrilldownIntro

0 Karma

anjambha
Communicator

Hi MikeElliott,

You can depend other three panels of dashboard on the "AD_User_Search" panel.

Or

Create drop-down of user_id and email_address from "AD_User_Search".

0 Karma

MikeElliott
Communicator

Hi anjambha,

In your second suggestion, how would we populate the drop downs with the results from the "AD_User_Search"?

An example search string for the "AD_User_Search" would be index=active_directory username=XXX | table username user_id email_address

0 Karma

anjambha
Communicator

So, in this case for proper output you can create three drop-down input ..
1)index=active_directory | dedup username | table username
2) index=active_directory username=$username$ | table user_id
3)index=active_directory |username=$username$ | table email_address

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...