Splunk Search

finding result based off 2 queries

gregwilliams
Path Finder

I asked this question last year and the search worked great, but as of version 5, I'm not getting any results anymore. Logs from one source look like this:

04/02/13-11:34:57.686794 [**] [1:2008038:8] ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS)) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:51611 -> yyy.yyy.yyy.yyy:80

and the logs that I'm interested look like this:

Apr 2 11:40:45 wc-b authmgr[1613]: <522008> User Authentication Successful: username=user MAC=xx.xx.xx.xx.xx.xx IP=xxx.xxx.xxx.xxx role=Wireless-Campus-Compliant VLAN=2190

The search that I'm interested in pulls the username out of the second query. This search worked great last year: "Trojan" | map search="search "User Authentication" IP=$dest_ip$" | fields username

It's not working any more. The dest_ip from the first source should map to the IP address in the second source. I get no results. Any thoughts on what changed or what I could do differently to return the same result?

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm not sure what may have changed, but here's a different approach. You're basically trying to use the dest_ip field from one search to find events in another search, right? A basic pattern for that looks like this:

"User Authentication" [search "Trojan" | dedup dest_ip | table dest_ip]

The subsearch will evaluate to something like this:

( ( dest_ip = "..." ) OR ( dest_ip = "..." ) ... OR ( dest_ip ="..." ) )
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!