Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rename error in search

pinzer
Path Finder
‎10-18-2010 01:25 PM

Hi all , i'm working on this query:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" | rename Source_Network_Address as IP | rename IP_Source as IP [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP]

but i get this error:

In rename: Usage: rename [old_name AS/TO/-> new_name]+

i need to search from sourcetype=webseal and sourcetype=wmi where the source ip are the same in the subsearch. how can i do this? thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎10-18-2010 03:13 PM

You have two problems with this search. First, the subsearch should be the argument to a | search command, not to the rename command. Second, the second rename will clobber the first. You could rewrite your search as:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"
| eval IP = if(sourcetype="webseal_access", Source_Network_Address, IP_Source)
| search [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP]

However, this search is going to retrieve every event from webseal_access and wmi:wineventlog:security, which may be inefficient.

I'd probably recommend setting up field aliases (http://www.splunk.com/base/Documentation/latest/Knowledge/Addaliasestofields) for the three sourcetypes, creating an implicit IP field. Then you could just search:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | dedup IP | fields IP]

Note that by default, a subsearch will yield 100 rows, so only 100 different IPs here. The easiest way to get around this is with stats (assuming you have field aliasing in place):

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" OR (eventtype="searchIPS" Direction="Inbound" Severity="Medium" IP=*)
| stats values(eventtype) as eventtype ... by IP
| search eventtype="searchIPS"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎10-18-2010 03:13 PM

You have two problems with this search. First, the subsearch should be the argument to a | search command, not to the rename command. Second, the second rename will clobber the first. You could rewrite your search as:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"
| eval IP = if(sourcetype="webseal_access", Source_Network_Address, IP_Source)
| search [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP]

However, this search is going to retrieve every event from webseal_access and wmi:wineventlog:security, which may be inefficient.

I'd probably recommend setting up field aliases (http://www.splunk.com/base/Documentation/latest/Knowledge/Addaliasestofields) for the three sourcetypes, creating an implicit IP field. Then you could just search:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | dedup IP | fields IP]

Note that by default, a subsearch will yield 100 rows, so only 100 different IPs here. The easiest way to get around this is with stats (assuming you have field aliasing in place):

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" OR (eventtype="searchIPS" Direction="Inbound" Severity="Medium" IP=*)
| stats values(eventtype) as eventtype ... by IP
| search eventtype="searchIPS"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...