I asked this question last year and the search worked great, but as of version 5, I'm not getting any results anymore. Logs from one source look like this:
04/02/13-11:34:57.686794 [**] [1:2008038:8] ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS)) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:51611 -> yyy.yyy.yyy.yyy:80
and the logs that I'm interested look like this:
Apr 2 11:40:45 wc-b authmgr[1613]: <522008>
The search that I'm interested in pulls the username out of the second query. This search worked great last year: "Trojan" | map search="search "User Authentication" IP=$dest_ip$" | fields username
It's not working any more. The dest_ip from the first source should map to the IP address in the second source. I get no results. Any thoughts on what changed or what I could do differently to return the same result?
I'm not sure what may have changed, but here's a different approach. You're basically trying to use the dest_ip field from one search to find events in another search, right? A basic pattern for that looks like this:
"User Authentication" [search "Trojan" | dedup dest_ip | table dest_ip]
The subsearch will evaluate to something like this:
( ( dest_ip = "..." ) OR ( dest_ip = "..." ) ... OR ( dest_ip ="..." ) )