Splunk Search

rename error in search

Path Finder

Hi all , i'm working on this query:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" | rename Source_Network_Address as IP | rename IP_Source as IP [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP]

but i get this error:

In rename: Usage: rename [old_name AS/TO/-> new_name]+

i need to search from sourcetype=webseal and sourcetype=wmi where the source ip are the same in the subsearch. how can i do this? thanks

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

You have two problems with this search. First, the subsearch should be the argument to a | search command, not to the rename command. Second, the second rename will clobber the first. You could rewrite your search as:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"
| eval IP = if(sourcetype="webseal_access", Source_Network_Address, IP_Source)
| search [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP]

However, this search is going to retrieve every event from webseal_access and wmi:wineventlog:security, which may be inefficient.

I'd probably recommend setting up field aliases (http://www.splunk.com/base/Documentation/latest/Knowledge/Addaliasestofields) for the three sourcetypes, creating an implicit IP field. Then you could just search:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | dedup IP | fields IP]

Note that by default, a subsearch will yield 100 rows, so only 100 different IPs here. The easiest way to get around this is with stats (assuming you have field aliasing in place):

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" OR (eventtype="searchIPS" Direction="Inbound" Severity="Medium" IP=*)
| stats values(eventtype) as eventtype ... by IP
| search eventtype="searchIPS"

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

You have two problems with this search. First, the subsearch should be the argument to a | search command, not to the rename command. Second, the second rename will clobber the first. You could rewrite your search as:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"
| eval IP = if(sourcetype="webseal_access", Source_Network_Address, IP_Source)
| search [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP]

However, this search is going to retrieve every event from webseal_access and wmi:wineventlog:security, which may be inefficient.

I'd probably recommend setting up field aliases (http://www.splunk.com/base/Documentation/latest/Knowledge/Addaliasestofields) for the three sourcetypes, creating an implicit IP field. Then you could just search:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | dedup IP | fields IP]

Note that by default, a subsearch will yield 100 rows, so only 100 different IPs here. The easiest way to get around this is with stats (assuming you have field aliasing in place):

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" OR (eventtype="searchIPS" Direction="Inbound" Severity="Medium" IP=*)
| stats values(eventtype) as eventtype ... by IP
| search eventtype="searchIPS"

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!