Splunk Search

rename error in search

Path Finder

Hi all , i'm working on this query:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" | rename Source_Network_Address as IP | rename IP_Source as IP [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP]

but i get this error:

In rename: Usage: rename [old_name AS/TO/-> new_name]+

i need to search from sourcetype=webseal and sourcetype=wmi where the source ip are the same in the subsearch. how can i do this? thanks

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

You have two problems with this search. First, the subsearch should be the argument to a | search command, not to the rename command. Second, the second rename will clobber the first. You could rewrite your search as:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"
| eval IP = if(sourcetype="webseal_access", Source_Network_Address, IP_Source)
| search [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP]

However, this search is going to retrieve every event from webseal_access and wmi:wineventlog:security, which may be inefficient.

I'd probably recommend setting up field aliases (http://www.splunk.com/base/Documentation/latest/Knowledge/Addaliasestofields) for the three sourcetypes, creating an implicit IP field. Then you could just search:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | dedup IP | fields IP]

Note that by default, a subsearch will yield 100 rows, so only 100 different IPs here. The easiest way to get around this is with stats (assuming you have field aliasing in place):

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" OR (eventtype="searchIPS" Direction="Inbound" Severity="Medium" IP=*)
| stats values(eventtype) as eventtype ... by IP
| search eventtype="searchIPS"

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

You have two problems with this search. First, the subsearch should be the argument to a | search command, not to the rename command. Second, the second rename will clobber the first. You could rewrite your search as:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security"
| eval IP = if(sourcetype="webseal_access", Source_Network_Address, IP_Source)
| search [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | fields DestinationIP | rename DestinationIP as IP | dedup IP]

However, this search is going to retrieve every event from webseal_access and wmi:wineventlog:security, which may be inefficient.

I'd probably recommend setting up field aliases (http://www.splunk.com/base/Documentation/latest/Knowledge/Addaliasestofields) for the three sourcetypes, creating an implicit IP field. Then you could just search:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" [search eventtype="searchIPS" Direction="Inbound" Severity="Medium"  DestinationIP=* | dedup IP | fields IP]

Note that by default, a subsearch will yield 100 rows, so only 100 different IPs here. The easiest way to get around this is with stats (assuming you have field aliasing in place):

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" OR (eventtype="searchIPS" Direction="Inbound" Severity="Medium" IP=*)
| stats values(eventtype) as eventtype ... by IP
| search eventtype="searchIPS"

View solution in original post

0 Karma